How APT41 Turned Google Calendar into a C2 Channel

The Chinese hacking group APT41 (linked to the I-SOON leaks) has developed a new malware called TOUGHPROGRESS, which hijacks Google Calendar to establish a command-and-control (C2) channel. This technique allows attackers to hide malicious communications behind a trusted cloud service, making detection harder.

Infection Chain Overview

1. Spear-Phishing Email: Victims receive an email with a link to a ZIP archive hosted on a compromised government site.

2. Malicious Payload: The ZIP contains:

• A LNK file disguised as a PDF.
• 6.jpg – Encrypted payload.
• 7.jpg – A fake image file (actually a DLL named PlusDrop).

3. Execution:

• Clicking the LNK opens a decoy PDF.
• PlusDrop decrypts and executes the payload in memory.

4. Malware Stages:

• PlusInject: Injects into svchost.exe via process hollowing.
• ToughProgress: Uses Google Calendar events to receive commands and exfiltrate data.

You Should Know: Detection & Mitigation

1. Detecting Suspicious Calendar Activity

• Google Workspace Logs: Check for unusual calendar events with encoded commands.

  grep -i "calendar.google.com" /var/log/google-workspace/logs.json | jq '. | select(.event_type == "CREATE_EVENT")'
  

• YARA Rule for Memory Analysis (Detect ToughProgress):

  rule APT41_ToughProgress {
  meta:
  description = "Detects ToughProgress malware in memory"
  strings:
  $c2 = "calendar.google.com/event" ascii wide
  $cmd = "cmd /c" ascii wide
  condition:
  any of them
  }
  

2. Blocking Malicious LNK Files

• Windows Defender ASR Rule:

  Set-MpPreference -AttackSurfaceReductionRules_Ids "BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550" -AttackSurfaceReductionRules_Actions Enabled
  

• Sysmon Configuration (Log LNK Execution):

  <RuleGroup name="LNK Execution Monitoring">
  <ProcessCreate onmatch="include">
  <CommandLine condition="contains">.lnk</CommandLine>
  </ProcessCreate>
  </RuleGroup>
  

3. Hunting for Process Hollowing (svchost.exe Abuse)

• Volatility (Memory Forensics):

  volatility -f memory.dump --profile=Win10x64 pslist | grep svchost
  volatility -f memory.dump --profile=Win10x64 malfind -p <PID_of_svchost>
  

4. Disabling Google Calendar API Abuse

• Restrict API Access:

  gcloud services disable calendar-json.googleapis.com --project=YOUR_PROJECT_ID
  

• Monitor OAuth Tokens:

  gcloud logging read "protoPayload.authenticationInfo.principalEmail= AND protoPayload.methodName=google.calendar.v3.events.import"
  

What Undercode Say

APT41 continues to innovate by weaponizing legitimate cloud services (Google Drive, Sheets, now Calendar). Defenders must:
– Monitor memory execution (fileless malware).
– Restrict API permissions.
– Use behavioral detection (unusual svchost.exe activity).

Expected Output

• Detection Alerts: Unusual Google Calendar API calls.
• Forensic Artifacts: Malicious LNK files, suspicious DLLs.
• Mitigation: Disable unnecessary API access, enforce ASR rules.

Prediction

APT41 will likely escalate abuse of other cloud services (e.g., Slack, Trello) for C2. Zero-trust policies and memory forensics will be critical.

Relevant URLs:

• Google Threat Analysis Group (TAG)
• Mandiant APT41 Profile

IT/Security Reporter URL:

Reported By: Piveteau Pierre – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

Join Our Cyber World:

💬 Whatsapp | 💬 Telegram