The Chinese state-sponsored hacking group APT41 was discovered abusing the GC2 (Google Command and Control) red teaming tool in information theft attacks versus a Taiwanese media and an Italian task search business.
APT 41, likewise called HOODOO, is a Chinese state-sponsored hacking group understood to target a large range of markets in the U.S.A., Asia, and Europe. Mandiant has actually been tracking the hacking group given that 2014, stating its activities overlap with other recognized Chinese hacking groups, such as BARIUM and Winnti.
In Google’s April 2023 Danger Horizons Report, launched last Friday, security scientists in its Danger Analysis Group (TAG) exposed that APT41 was abusing the GC2 red teaming tool in attacks.
GC2, likewise called Google Command and Control, is an open-source task composed in Go that was developed for red teaming activities.
” This program has actually been established in order to offer a command and control that does not need any specific established (like: a custom-made domain, VPS, CDN, …) throughout Red Teaming activities,” checks out the task’s GitHub repository
” Additionally, the program will connect just with Google’s domains (*.google.com) to make detection harder.”
The task includes a representative that is released on jeopardized gadgets, which then links back to a Google Sheets URL to get commands to carry out.
These commands trigger the released representatives to download and set up extra payloads from Google Drive or exfiltrate taken information to the cloud storage service.
GC2 abused in attacks
According to Google’s report, TAG interfered with an APT41 phishing attack versus a Taiwanese media business that tried to disperse the GC2 representative through phishing e-mails.
” In October 2022, Google’s Danger Analysis Group (TAG) interfered with a project from HOODOO, a Chinese government-backed enemy likewise called APT41, that targeted a Taiwanese media company by sending out phishing e-mails which contained links to a password secured file hosted in Drive,” described the Google Danger Horizons report
” The payload was an open source red teaming tool called “Google Command and Control” (GC2).”
Google states that APT41 likewise utilized GC2 in attacks versus an Italian task search site in July 2022.
Utilizing the representative, Google states that the hazard stars tried to release extra payloads on the gadget and exfiltrate information to Google Drive, as highlighted in the attack workflow listed below.
While it is not understood what malware was dispersed in these attacks, APT41 is understood to release a wide array of malware on jeopardized systems.
A 2019 Mandiant report describes that the hazard stars make use of rootkits, bootkits, custom-made malware, backdoors, Point of Sale malware, and even ransomware in a separated event.
The hazard stars have actually likewise been understood to release the Winnti malware and the China Chopper web shell, tools frequently utilized by Chinese hacking groups, and Cobalt Strike for perseverance in jeopardized networks.
In 2020, the Department of Justice arraigned 3 Chinese nationals thought to be part of APT41 for performing supply chain attacks [CCleaner,Â ShadowPad,Â ShadowHammer], information theft, and breaches versus nations worldwide.
BleepingComputer called Google to read more about the payloads they saw in these attacks, however a reaction was not right away offered.
A shift to genuine tools
APT41’s usage of GC2 is another sign of a pattern of hazard stars relocating to genuine red teaming tools and RMM platforms as part of their attacks.
While using Cobalt Strike in attacks has actually been extensive for many years, it has actually likewise resulted in considerable financial investments into discovering it in attacks, making it more quickly found by protectors.
More just recently, ransomware gangs have actually started abusing the Action1 remote tracking and management (RMM) tool for perseverance on jeopardized networks and to carry out commands, scripts, and binaries.
Sadly, just like any tool that can assist red teamers perform workouts or for admins to handle a network from another location, they can similarly be abused by hazard stars in their own attacks.