Jump to content
  • Sign Up
×
×
  • Create New...
New feature: 1 Vote = 0.10€ for server Owner!

Google Shuts Down Malware That Leveraged Google Calendar to Steal Data

Pelican Press

By Pelican Press,
in World News

 Share

Recommended Posts

  • Diamond Member
Pelican Press Warlord

Pelican Press 0

Posted
  • Diamond Member
Posted

This is the hidden content, please

This is the hidden content, please
Shuts Down Malware That Leveraged
This is the hidden content, please
Calendar to Steal Data

This is the hidden content, please
Calendar was being used as a communication channel by a group of hackers to extract sensitive information from individuals, according to the
This is the hidden content, please
Threat Intelligence Group (GTIG). The tech giant’s cybersecurity division discovered a compromised government website in October 2024 and found that malware was being spread using it. Once the malware infected a device, it would create a ********* using
This is the hidden content, please
Calendar and allow the operator to extract data. GTIG has already taken down the calendar accounts and other systems that were being used by the hackers.

This is the hidden content, please
Calendar Used By China-Linked Hackers for Command and Control (C2) Channel

GTIG detailed

This is the hidden content, please
, how it functioned, and the measures taken by
This is the hidden content, please
’s team to protect users and its product. The hacker associated with this attack is said to be APT41, also known as HOODOO, a threat group believed to be linked to the ******** government.

An investigation by GTIG revealed that APT41 used a spear phishing method to deliver malware to targets. Spear phishing is a targeted form of phishing where attackers personalise emails to specific individuals. 

These emails contained a link to a ZIP archive that was hosted on the compromised government website. When an unsuspecting person opened the archive, it showed a shortcut LNK file (.lnk), which was disguised to appear like a PDF, as well as a folder.

toughprogress campaign Toughprogress malware campaign

Overview of how the malware functioned
Photo Credit: GTIG

 

This folder contained seven JPG images of arthropods (insects, spiders, etc.). GTIG highlighted that the sixth and seventh entries, however, are decoys that actually contain an encrypted payload and a dynamic link library (DLL) file that decrypts the payload. 

When the target clicks the LNK file, it triggers both files. Interestingly, the LNK file also automatically deletes itself and is replaced with a fake PDF, which is shown to the user. This file mentions that the species shown need to be declared for export, likely to mask the hacking attempt and to avoid raising suspicion.

Once the malware has infected a device, it operates in three different stages, where each stage carries out a task in sequence. GTIG highlighted that all three sequences are executed using various stealth techniques to avoid detection. 

The first stage decrypts and runs a DLL file named PLUSDROP directly in memory. The second stage launches a legitimate Windows process and performs process hollowing — a technique used by attackers to run malicious code under the guise of a legitimate process — to inject the final payload.

The final payload, TOUGHPROGRESS, executes malicious tasks on the device and communicates with the attacker via

This is the hidden content, please
Calendar. It uses the cloud-based app as a communication channel via command and control (C2) technique. 

The malware adds a zero-minute calendar event on a hardcoded date (May 30, 2023), which stores encrypted data from the compromised computer in the event’s description field.

It also creates two other events on hardcoded dates (July 30 and 31, 2023), which gives the attacker a ********* to communicate with the malware. TOUGHPROGRESS regularly scans the calendar for these two events. 

When the attacker sends an encrypted command, it decrypts it and executes the command. Then, it sends back the result by creating another zero-minute event with the encrypted output.

To disrupt the malware campaign, GTIG created custom detection methods that identify and remove APT41’s

This is the hidden content, please
Calendar accounts. The team also shut down the attacker-controlled
This is the hidden content, please
Workspace projects, effectively disabling the infrastructure that was used in the operation. 

Additionally, the tech giant also updated its malware detection systems and blocked the malicious domains and URLs using

This is the hidden content, please
Safe Browsing.

GTIG has also notified affected organisations, and provided them with samples of the malware’s network traffic and details about the threat actor to help with detection, investigation, and response efforts.



This is the hidden content, please

#

This is the hidden content, please
#Shuts #Malware #Leveraged #
This is the hidden content, please
#Calendar #Steal #Data

This is the hidden content, please

This is the hidden content, please

0

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Vote for the server

    To vote for this server you must login.

    Jim Carrey Flirting GIF

  • Recently Browsing   0 members

    • No registered users viewing this page.

Important Information

Privacy Notice: We utilize cookies to optimize your browsing experience and analyze website traffic. By consenting, you acknowledge and agree to our Cookie Policy, ensuring your privacy preferences are respected.

  I accept