Google Disables Malware Exploiting Google Calendar
Google Calendar has been exploited by a group of hackers to extract sensitive information from individuals, according to findings from the Google Threat Intelligence Group (GTIG). The cybersecurity team uncovered a compromised government website in October 2024, which was being used to spread malware. Once a device was infected, the malware utilized Google Calendar to create a backdoor for data extraction. GTIG has since dismantled the calendar accounts and systems employed by the hackers.
Malware Delivery Method and Functionality
GTIG provided insights into the malware’s delivery method and its operational mechanics. The hacking group behind this attack is identified as APT41, also known as HOODOO, which is believed to have ties to the Chinese government. The investigation revealed that APT41 employed a spear phishing technique to target individuals. This method involves sending personalized emails designed to deceive specific recipients.
The spear phishing emails contained links to a ZIP archive hosted on the compromised government site. When a target opened the archive, they encountered a shortcut LNK file disguised as a PDF, along with a folder. This folder included seven JPG images of various arthropods. However, the sixth and seventh images were decoys that concealed an encrypted payload and a dynamic link library (DLL) file responsible for decrypting the payload. When the LNK file was clicked, it triggered both files, while the LNK file self-deleted and was replaced by a fake PDF, which attempted to divert attention from the hacking attempt.
Stages of Malware Operation
Once the malware infiltrated a device, it executed its operations in three distinct stages, each designed to perform specific tasks while evading detection. The first stage involved decrypting and executing a DLL file named PLUSDROP directly in memory. The second stage initiated a legitimate Windows process and employed process hollowingโa technique that allows malicious code to run under the guise of a legitimate processโto inject the final payload.
The final payload, known as TOUGHPROGRESS, carried out malicious activities on the infected device and communicated with the attacker through Google Calendar. This cloud-based application served as a command and control (C2) channel. TOUGHPROGRESS created a zero-minute calendar event on a predetermined date, May 30, 2023, to store encrypted data extracted from the compromised computer. Additionally, it generated two other events on hardcoded dates (July 30 and 31, 2023), allowing the attacker to maintain a backdoor for communication with the malware. The malware routinely scanned the calendar for these events, decrypting and executing commands sent by the attacker and returning results through newly created zero-minute events.
Countermeasures and Response
In response to the malware campaign, GTIG implemented custom detection methods to identify and eliminate APT41’s Google Calendar accounts. The team also shut down the Google Workspace projects controlled by the attackers, effectively dismantling the infrastructure supporting the operation. Furthermore, Google enhanced its malware detection systems and blocked the malicious domains and URLs identified through Google Safe Browsing.
GTIG has proactively notified affected organizations and provided them with samples of the malware’s network traffic, along with detailed information about the threat actor. This assistance aims to bolster detection, investigation, and response efforts among the impacted entities, ensuring a more robust defense against such cyber threats in the future.
Observer Voice is the one stop site for National, International news, Sports, Editorโs Choice, Art/culture contents, Quotes and much more. We also cover historical contents. Historical contents includes World History, Indian History, and what happened today. The website also covers Entertainment across the India and World.
