Google Menace Intelligence Group (GTIG), a complicated malware marketing campaign dubbed “TOUGHPROGRESS” has been uncovered, orchestrated by the infamous PRC-based risk actor APT41, also called HOODOO.
Recognized in late October 2024, this marketing campaign exploits a compromised authorities web site to distribute malware, ingeniously leveraging Google Calendar as a command and management (C2) hub to handle compromised methods.
Modern Malware Exploits Google Calendar
APT41, recognized for focusing on a big selection of sectors together with international delivery, media, expertise, and automotive industries, has as soon as once more demonstrated its knack for mixing malicious actions with legit providers, making detection a big problem for cybersecurity groups.
.png
)
The TOUGHPROGRESS marketing campaign begins with spear-phishing emails that lure victims into downloading a malicious ZIP archive from the exploited authorities website.
This archive comprises an LNK file disguised as a PDF, accompanied by misleading JPG photographs, two of which (“6.jpg” and “7.jpg”) are literally encrypted payloads and a DLL file accountable for decryption.
Dissecting the TOUGHPROGRESS Assault Chain
Upon execution, the malware deploys in three levels PLUSDROP, PLUSINJECT, and TOUGHPROGRESS itself every using superior evasion strategies reminiscent of memory-only payloads, course of hollowing on legit “svchost.exe” processes, and complicated management move obfuscation utilizing register-based oblique calls and 64-bit register overflow.
The ultimate stage, TOUGHPROGRESS, interfaces with Google Calendar by creating zero-minute occasions on hardcoded dates like Might 30, 2023, to exfiltrate encrypted knowledge from compromised hosts, whereas polling for instructions on subsequent dates.
Based on the Report,GTIG, in collaboration with Mandiant FLARE, reverse-engineered the C2 encryption protocol, revealing a layered method involving LZNT1 compression and twin XOR key encryption.
In response, Google swiftly disrupted the marketing campaign by creating customized detection signatures, dismantling attacker-controlled Workspace tasks, updating Secure Shopping blocklists, and notifying affected organizations with vital risk intelligence.
This proactive stance underscores Google’s dedication to countering APT41’s persistent creativity, as seen of their historic abuse of Workspace apps and up to date campaigns like VOLDEMORT and DUSTTRAP, which additionally exploited free website hosting providers and URL shorteners for malware distribution.
Indicators of Compromise (IOCs)
| Sort | Title/Description | Worth (SHA256 / MD5 or Area/URL) |
|---|---|---|
| File Hash | 出境海關申報清單.zip | 469b534bec827be03c0823e72e7b4da0b84f53199040705da203986ef154406a / 876fb1b0275a653c4210aaf01c2698ec |
| File Hash | 申報物品清單.pdf.lnk | 3b88b3efbdc86383ee9738c92026b8931ce1c13cd75cd1cda2fa302791c2c4fb / 65da1a9026cf171a5a7779bc5ee45fb1 |
| File Hash | 6.jpg | 50124174a4ac0d65bf8b6fd66f538829d1589edc73aa7cf36502e57aa5513360 / 1ca609e207edb211c8b9566ef35043b6 |
| File Hash | 7.jpg | 151257e9dfda476cdafd9983266ad3255104d72a66f9265caa8417a5fe1df5d7 / 2ec4eeeabb8f6c2970dcbffdcdbd60e3 |
| Area | Cloudflare Staff | phrase[.]msapp[.]employees[.]dev, cloud[.]msapp[.]employees[.]dev |
| Area | TryCloudflare | term-restore-satisfied-hence[.]trycloudflare[.]com, ways-sms-pmc-shareholders[.]trycloudflare[.]com |
| Area | InfinityFree | useful resource[.]infinityfreeapp[.]com, pubs[.]infinityfreeapp[.]com |
| URL Shortener | Varied | https[:]//lihi[.]cc/6dekU, https[:]//tinyurl[.]com/hycev3y7, https[:]//my5353[.]com/nWyTf, and so on. |
Discover this Information Attention-grabbing! Observe us on Google Information, LinkedIn, & X to Get On the spot Updates!
