This article discusses the Chinese APT41 hacking group’s new malware ‘ToughProgress,’ which exploits Google Calendar for covert command-and-control operations. Google’s Threat Intelligence Group has taken actions to dismantle these malicious Google Calendar instances and prevent future abuse. #APT41 #ToughProgress
Keypoints
- APT41 is using a new malware called ‘ToughProgress’ that leverages Google Calendar for C2 communication.
- The attack begins with malicious emails containing ZIP archives with obfuscated payload files.
- Malicious payloads include fake images, encrypted payloads, and in-memory process hollowing techniques.
- The malware communicates with a hardcoded Google Calendar endpoint, hiding commands within calendar events.
- Google disrupted the campaign by removing attacker-controlled Calendar instances and updating security measures.