Cyberattack methods are evolving rapidly, prompting tech giants to bolster their security measures. However, a recent campaign stands out due to its unique approach. Attackers leveraged a trusted service like Google Calendar to deploy malicious malware and spy on government institutions. Behind this operation is APT41, a notoriously sophisticated and dangerous hacking group.
TOUGHPROGRESS: A Stealthy Malware with Extensive Reach
Google's Threat Intelligence Group (GTIG) recently unveiled this dangerous malware, dubbed TOUGHPROGRESS. While seemingly innocuous, its capabilities allow deep system penetration. According to GTIG, this malware first appeared in October 2024 and was specifically designed to target government entities.
The attack begins with a spear-phishing email containing a link. This link mimics a legitimate government website, effectively deceiving users. Upon clicking, a ZIP file is downloaded containing a Windows shortcut (.lnk) file. This shortcut file appears as a PDF but has a far more sinister purpose.
TOUGHPROGRESS Attack: A Three-Stage Process
Clicking the PDF-like .LNK file initiates a dangerous three-step infection process:
PLUSDROP: This DLL file decrypts the malware in memory, preparing for subsequent stages.
PLUSINJECT: This stage involves code injection into system processes such as svchost.exe. This technique, known as 'Process Hollowing,' masks suspicious activity from the user.
TOUGHPROGRESS: This is the core malware. It reads commands from Google Calendar events and transmits sensitive user data to the attackers.
Google Calendar: A Tool for Espionage
The most striking aspect is the malware's use of Google Calendar, a trusted tool, for command and control, rather than a remote server. TOUGHPROGRESS creates events on specific dates with a duration of '0 minutes'. These events contain encrypted commands or data. The infected system periodically checks these events and acts accordingly.
This represents a novel approach to cyber espionage, eliminating real-time server data exchange, making detection significantly more challenging.
APT41: A Familiar Face, New Tactics
APT41, also known as Winnti, Brass Typhoon, and Wicked Panda, is a highly skilled Chinese state-sponsored cyber espionage group. This group has previously targeted government departments, tech companies, and manufacturing units in countries like Japan, the UK, and Taiwan.
In 2023, the same group employed Google Drive and Google Sheets to create another backdoor tool – GC2 – where commands were hidden within Sheets to extract data from infected systems.
Google's Response
Google promptly identified the threat, disabling the relevant Google Calendar events and Workspace projects. Affected organizations were also notified. However, GTIG clarified that the full extent of the attack is yet unknown, and the investigation is ongoing.
How to Protect Yourself from Cyberattacks
This incident highlights the attackers' exploitation of platforms users trust. Therefore, vigilance and the following precautions are crucial:
- Avoid opening unknown emails or attachments, especially those in ZIP format.
- Disable LNK file preview in Windows to prevent accidental clicks.
- Use updated antivirus and security software capable of detecting such phishing attacks.
- Regularly review permissions and access logs for your cloud accounts, including Google Drive and Calendar.
