From Friend to Foe: How APT41 Weaponized Google's Red Teaming Tool?

APT 41, also known as HOODOO and BARIUM is a China-based cyber espionage group that targets healthcare, high-tech, and telecommunications sectors for intellectual property theft. They also track individuals and conduct surveillance on higher education, travel services, and news/media firms. #FBI has published “Most Wanted” posters for these hackers, who have mastered and employed attack vectors such as spear #phishing, #supplychainattacks, #waterholes, and backdoors #exploitation at numerous instances. Their most popular vector is the software supply chain that compromises the target system to inject #malicious code into legitimate files. They are unique among China-based actors for using non-public malware in activity that appears unrelated to state-sponsored missions.?

Let’s find out more about these attacks and the attacker group.

What Happened with Google Workspace?

In October 2022, Google's Threat Analysis Group (TAG) disrupted a campaign by Chinese government-backed hacker group, HOODOO, popularly known as APT 41. They carried out a series of #phishingcampaigns on a Taiwanese media organization containing malicious links to a password-protected file hosted in Google Drive. They employed an open source tool, which is primarily used for #penetration testing by the red team of the organization.

Let’s decode the attack in a stepwise manner and find out more about this tool.

Attack Workflow Employed by HOODOO, Also Known As APT 41

• In October 2022, Google's Threat Analysis Group (TAG) disrupted a campaign by HOODOO, a Chinese government-backed attacker also known as APT41.
• They first employed “Living off the Island Tactic.” This tactic uses legitimate tools, like Cobalt Strike and penetration testing software, that can be obtained from public sources such as GitHub.

• They carried out a spear phishing campaign to lure employees into downloading a malicious coded file.
• The campaign targeted a Taiwanese media organization using phishing emails that contained links to a password-protected file hosted on Google Drive.
• The payload of the phishing emails was an open-source red teaming tool called "Google Command and Control" (GC2), which is written in the Go programming language.

(According to the project's GitHub repository, the program was developed for Red Teaming activities and requires no specific set-up, such as a custom domain, VPS, or CDN. It interacts solely with Google's domains to evade detection. The project comprises an agent deployed on compromised devices that connects to a Google Sheets URL to receive commands, allowing the agents to download and install additional payloads from Google Drive or exfiltrate stolen data to the cloud storage service.)

• The GC2 tool retrieves commands from Google Sheets, likely to obfuscate the malicious activity, and exfiltrated data to Google Drive.
• Once the #malware is installed on the victim's machine, it queries Google Sheets to obtain attacker commands.
• In addition to exfiltration via #GoogleDrive, GC2 also enables the attacker to download additional files from Google Drive onto the victim's system.
• This exposed the Taiwanese media company’s database to the hackers.

Google Cloud's head of threat intelligence, Christopher Porter, suggests that state-sponsored cyber threat actors may use cybercriminals' tactics to target systems. APT41 has shifted to using lesser-known red teaming tools, such as Brute Ratel and Sliver, to evade detection. Additionally, the group has targeted Taiwanese media and continues to target private sector organizations with limited government ties. APT41 uses trusted domain names and cloud services for stealth and legitimacy while targeting various sectors to steal intellectual property and political intelligence.

Trends in Chinese-Backed Cybercriminal Groups

Increased Use of Publicly Available Tools

Chinese APT groups are shifting towards using publicly available tools, such as Cobalt Strike and other "pentest" software that can be purchased or found on sites like Github, instead of developing their own custom tools. The use of GC2 by HOODOO in the targeted campaign is an example of this trend.

Proliferation of Go Programming Language

There has been a continued expansion in the use of tools written in the Go programming language by Chinese-affiliated threat actors. The flexibility and convenience of the Go language for adding and removing module components are likely driving this trend.

Targeting of private sector organizations with limited government ties

The targeting of Taiwanese media by Chinese-backed cybercriminals highlights the continued overlap of public sector threat actors targeting private sector organizations with limited government ties. This trend indicates that these threat actors are expanding their scope beyond traditional government targets.

Who is the APT41 Group?

China-linked advanced persistent threat (APT) group APT41, also known as HOODOO, Winnti, and Bronze Atlas, has shifted its tactics and is now utilizing an open source red-teaming tool, Google Command and Control (GC2), in targeted cyber espionage attacks. APT41 had previously used GC2 in July of the previous year to target an Italian job search website. This shift in tactics by APT41 highlights several trends by China-affiliated threat actors.

Most Common TTP (Tactics, Techniques, and Procedures) Employed by APT 41

APT41 gains initial access through spear phishing with malicious attachments, watering holes, and supply chain attacks. They establish footholds using public and private malware, then escalate privileges using custom tools to obtain credentials. The group performs internal #reconnaissance with compromised credentials, and laterally moves using Remote Desktop Protocol (#RDP), stolen credentials, adding admin groups, and brute forcing utilities. APT41 maintains their presence through backdoors, and once their mission is complete, they create a RAR archive for exfiltration and removal of evidence. Here are some software tools used by APT 41 (sourced from the Department of Health and Human Service of the United States):

• BLACK COFFEE: A multi use tool that can serve as a reverse shell, for enumeration and deletion, and for C2 communications and obfuscation.
• China Chopper: A web shell that provides access to an enterprise network.
• Cobalt Strike: A commercial tool that allows attackers to drop payloads.
• Gh0st Rat: A remote access tool (RAT).
• Mimikatz: A credential dumper for obtaining plaintext Windows account information.
• PlugX: A RAT with modular plugins.
• ShadowPad: A modular backdoor frequently used in C2 communications.

Cloud Services are a Necessity, And So Is Employee Awareness

It is important to note that employee awareness is crucial in preventing cyber attacks. With the rise of cloud-based services, cybercriminals are exploiting vulnerabilities in these services through spear phishing attacks and other social engineering tactics. In addition to spear phishing attacks, there are many other tactics that cybercriminals use to gain access to sensitive data. For example, recent statistics show that credential stuffing attacks have increased by 400% in the past year.?

Employee awareness is not just about preventing cyber attacks but also about maintaining the trust of customers and stakeholders. A recent survey found that 78% of consumers would stop engaging with a business if their data was compromised. By prioritizing employee awareness and taking proactive measures to protect sensitive data, organizations can avoid the reputational damage and financial losses that result from successful cyber attacks.

Read more articles

• Coinbase Data Breach: How Hackers Used SMS to Target Employees?
• Hacker's Favourite Brand to Impersonate in 36.6% of Phishing Attacks
• The Most Infamous Ransomware Groups in the World
• Threatcop Phishing Incident Response Tool
• Threatcop Learning Management System (Innovative Cyber Awareness)