Chinese state-sponsored hacking operation APT41, also known as Winnti, had attack infrastructure deploying the novel ToughProgress malware, which leverages Google Calendar for command-and-control, dismantled by the Google Threat Intelligence Group, BleepingComputer reports.
Intrusions commenced with the delivery of phishing emails with a link redirecting to a breached government site-hosted ZIP archive, which contains a PDF-spoofing Windows LNK file and payloads masquerading as image files, an analysis from GTIG revealed. Clicking the LNK launches the 'PlusDrop' DLL that facilitates in-memory decryption and execution of the 'PlusInject' payload, which conducts process hollowing to install ToughProgress. ToughProgress then establishes a connection with a Google Calendar endpoint, which has events planted with encrypted commands, according to researchers, who noted the covertness of the malware. Aside from removing all compromised Workspace accounts and weaponized Calendar events, Google has also updated its Safe Browsing blocklist to alert users when accessing websites implicated in APT41's attacks.
Intrusions commenced with the delivery of phishing emails with a link redirecting to a breached government site-hosted ZIP archive, which contains a PDF-spoofing Windows LNK file and payloads masquerading as image files, an analysis from GTIG revealed. Clicking the LNK launches the 'PlusDrop' DLL that facilitates in-memory decryption and execution of the 'PlusInject' payload, which conducts process hollowing to install ToughProgress. ToughProgress then establishes a connection with a Google Calendar endpoint, which has events planted with encrypted commands, according to researchers, who noted the covertness of the malware. Aside from removing all compromised Workspace accounts and weaponized Calendar events, Google has also updated its Safe Browsing blocklist to alert users when accessing websites implicated in APT41's attacks.
