.png)
According to the Google Threat Intelligence Group (GTIG), a group of hackers utilized Google Calendar as a communication route to get sensitive information from users. In October 2024, the tech giant's cybersecurity group identified a corrupted government website that was being used to disseminate malware. Once the virus infected a device, it used Google Calendar to construct a backdoor that allowed the operator to extract data. GTIG has already disabled the hackers' calendar accounts and other systems.
China-linked hackers use Google Calendar as a command and control (C2) channel
GTIG explained the malware's delivery technique, how it worked, and the steps taken by Google's team to safeguard consumers and its product. The hacker responsible for this attack is reported to be APT41, also known as HOODOO, a threat organization thought to be tied to the Chinese government.
GTIG discovered that APT41 utilized spear phishing to transmit malware to targets. Spear phishing is a type of phishing in which attackers personalize emails to specific recipients.
These emails included a link to a ZIP archive stored on the stolen government website. When an unwary individual opened the package, it displayed a shortcut LNK file (.lnk) disguised to look like a PDF, as well as a directory.
.png)
This folder included seven JPG photos of arthropods (such as insects and spiders). GTIG pointed out that the sixth and seventh items are decoys that include an encrypted payload as well as a dynamic link library (DLL) file that decrypts it.
When the target clicks on the LNK file, it activates both files. Interestingly, the LNK file also deletes itself and is replaced with a bogus PDF that is displayed to the viewer. This file says that the species presented must be reported for export, which is most likely done to conceal the hacking effort and avoid suspicion.
Once the virus has infected a device, it acts in three steps, with each stage performing a job in order. GTIG stated that all three procedures are carried out utilizing a variety of stealth approaches to prevent discovery.
The first step decrypts and executes a DLL file called PLUSDROP directly in memory. The second step spawns a legal Windows process and injects the final payload using process hollowing, a method used by attackers to run malicious code as a normal process.
The final payload, TOUGHPROGRESS, runs malicious processes on the device and interacts with the attacker via Google Calendar. It communicates through the cloud-based app using the command and control (C2) mechanism.
The virus creates a zero-minute calendar event on a hardcoded date (May 30, 2023) and saves encrypted data from the hijacked machine in the event's description field.
It also triggers two more events on hardcoded dates (July 30 and 31, 2023), providing the attacker with a backdoor to connect with the virus. TOUGHPROGRESS frequently checks the calendar for these two events.
When the attacker provides an encrypted command, it decrypts it before executing it. It then returns the result by generating another zero-minute event containing the encrypted output.
To interrupt the malware campaign, GTIG developed specialized detection algorithms for identifying and removing APT41's Google Calendar account. The team also shut down the attacker-controlled Google Workspace projects, thus destroying the infrastructure utilized in the assault.
Additionally, the tech behemoth improved its malware detection systems and used Google Safe Browsing to restrict harmful sites and URLs.
GTIG has also contacted impacted companies and given them with malware network traffic samples and information about the threat actor to aid in detection, investigation, and response.
