The data theft assaults against a Taiwanese media outlet and an Italian job search firm were carried out by the Chinese state-sponsored hacking organization APT41, which was discovered abusing the GC2 (Google Command and Control) red teaming tool.
Chinese state-sponsored hacking organization APT 41, also known as HOODOO, is well-known for focusing on various industries in the USA, Asia, and Europe. Since 2014, MandiantF has been monitoring the hacker gang, which it claims shares actions with other well-known Chinese hacking groups like BARIUM and Winnti.
Google’s Threat Analysis Group (TAG) security researchers discovered that APT41 was misusing the GC2 red teaming tool in assaults in its April 2023 Threat Horizons Report published last Friday. An open-source Go project called GC2, commonly called Google Command and Control, was created for use by red teams.
According to the project’s GitHub repository, “This program has been designed to offer a command and control system during Red Teaming activities that doesn’t need any special setup (like: a custom domain, VPS, CDN, etc.).” To avoid detection, the software will only connect with websites ending in *.google.com.
The project entails installing an agent on hijacked devices, which links back to a Google Sheets Address to obtain instructions for execution. These instructions prompt the installed agents to exfiltrate stolen data to Google Drive or download and install additional payloads from the cloud storage platform.
Google’s research claims that TAG stopped an APT41 phishing effort against a Taiwanese media organization that sought to spread the GC2 agent via phishing emails.
According to the Google Threat Horizons report, In October 2022, Google’s Threat Analysis Group (TAG) stopped HOODOO, an APT41-affiliated attacker with cooperation from the Chinese government, from attacking a Taiwanese media outlet with phishing emails that contained links to a Drive file that was password-protected.
“Google Command and Control” (GC2), an open-source red teaming tool, was the payload. According to Google, in July 2022, APT41 launched assaults against an Italian job search website using GC2. Google claims that threat actors attempted to exfiltrate data to Google Drive and put further payloads on the device via the agent, as shown in the attack workflow below.
While the specific malware used in these attacks is unknown, APT41 is known to install a wide range of malware on infected systems. According to a 2019 Mandiant assessment, threat actors occasionally use ransomware, point-of-sale malware, bootkits, bespoke malware, backdoors, and rootkits.
Additionally, the threat actors have been known to use Cobalt Strike for persistence on infiltrated networks, the Winnti virus, and the China Chopper web shell, tools frequently used by Chinese hacking gangs.
Three Chinese nationals were indicted by the Department of Justice in 2020 for conducting supply chain attacks (CCleaner, ShadowPad, and ShadowHammer), data theft, and breaches against other nations.
Another sign of the trend of threat actors utilizing legal red teaming tools and RMM platforms as part of their attacks is APT41’s usage of GC2. Despite Cobalt Strike’s long history of use in attacks, there have been major investments made in its detection, making it simpler for defenders to identify it.
Threat actors have begun to use other red teaming technologies, like Brute Ratel and Sliver; as a result, to elude detection during their attacks. Sadly, they can also be misused by threat actors in their assaults, just like any technology that allows red teamers to perform exercises or network administrators to control a network remotely.
Conclusion
A Chinese nation-state entity sent an unknown Taiwanese media company, Google Command, and Control (GC2), an open-source red teaming tool. The IT giant’s Threat Analysis Group (TAG) linked the effort to HOODOO, also known as APT41, Barium, Bronze Atlas, Wicked Panda, and Winnti. A phishing email leads to a password-protected Google Drive file that uses the GC2 tool to read commands from Google Sheets and exfiltrate data. “After installation on the target PC, the malware accesses Google Sheets to obtain attacker commands,” Google’s cloud division wrote in its sixth Threat Horizons Report. “GC2 lets the attacker download Drive files into the victim PC in addition to exfiltration.”
Google says the same virus was used in July 2022 to attack an Italian job search website. This is significant for two reasons: Secondly, it suggests that Chinese threat organizations increasingly use publicly available tools like Cobalt Strike and GC2 to confound attribution. Second, due to its modularity and cross-platform interoperability, Go-written malware and tools are becoming more popular. Google warned that cybercriminals and government-backed actors target cloud services “either as hosts for malware or supplying the infrastructure for command-and-control (C2)” due to their “undeniable value.” Google Drive has been used to store Ursnif (aka Gozi) and DICELOADER (aka Lizar or Tirion) ZIP archive files for various phishing attacks.
