Google’s Threat Analysis Group (TAG) team has published a report revealing that the APT41 group had leveraged its open-source red teaming tool during an attack last year. The Google Command and Control (GC2) tool, a testing and debugging tool for Web Receiver applications, was abused to target a Taiwanese media organization.

Use of a red teaming tool

According to the report, Google’s TAG detected an attack campaign by China-linked nation-state attacker APT41 (aka HOODOO) in October 2022.
  • To initiate the attack, the attackers sent phishing emails with links to password-protected files hosted on Google Drive. 
  • Upon infection, the payload dropped was the GC2 tool, which allows the downloading of more files from Drive onto the victim system.
  • Once installed, it queries Google Sheets to get further commands from the attacker.

Key trends observed

  • The targeting of Taiwanese media represents the fact that APT41, known to be a public-sector threat, is now targeting private-sector organizations with limited ties with the government.
  • Moreover, the tool was picking commands from Google Sheets, and using Google Drive to store exfiltrated data, likely in an attempt to blend its malicious traffic with that of genuine services, andn thus evade detection.
  • The use of GC2 by APT41 stands as an example of the fact that in contrast to developing custom tools, Chinese APT groups are increasingly using publicly available tools such as Cobalt Strike and other pentest software ready to purchase or available on public websites (Github).

What more

The report further claims that cloud services are becoming a preferred target for nation-state actors. They are being abused to host malware or provide the infrastructure for C2. 

One of the most common observed attacks against networks and cloud instances is account takeover. The access to service account credentials allows the attackers to obtain domain-wide delegation authority.

Conclusion

This report and several others in the past shed light on the fact that Chinese threat groups are increasingly using publicly available open-source tools for their attacks. These tools—being already whitelisted by security software—provide easy penetration inside the networks, and obfuscation to the malicious activity by blending the malicious traffic. For safety, it is suggested to leverage smart usage monitoring tools to detect any unusual behavior and minimize the impact on critical systems.
Cyware Publisher

Publisher

Cyware