APT

China-linked APT41 group spotted using open-source red teaming tool GC2

China-linked APT41 group used the open-source red teaming tool GC2 in an attack against a Taiwanese media organization.

Google Threat Analysis Group (TAG) team reported that the China-linked APT41 group used the open-source red teaming tool Google Command and Control (GC2) in an attack against an unnamed Taiwanese media organization.

The APT41 group, aka WinntiAxiom, Barium, Blackfly, HOODOO) is a China-linked cyberespionage group that has been active since at least 2007.

The attack took place in October 2022, threat actors sent phishing emails that contained links to a password-protected file hosted in Drive. The final payload was the Go-written GC2 tool that gets commands from Google Sheets and exfiltrates data to Google Drive.

“In October 2022, Google’s Threat Analysis Group (TAG) disrupted a campaign from HOODOO, a Chinese government-backed attacker also known as APT41, that targeted a Taiwanese media organization by sending phishing emails that contained links to a passwordprotected file hosted in Drive.” reads the Threat Horizons April 2023 Threat Horizons Report published by Google.”The payload was an open source red teaming tool called “Google Command and Control” (GC2).”

Upon installing the malware on the target system, it queries Google Sheets to obtain attacker commands. GC2 also allows operators to download additional files from Drive onto the victim system.

Google TAG experts pointed out that the Chinese group previously used GC2 in July 2022 in an attack aimed at an Italian job search website

These incidents highlighted a few key threat trends by China-affiliated threat actors. First, as opposed to developing their own custom tools, Chinese APT groups are increasingly using publicly available tooling such as Cobalt Strike and other “pentest” software available for purchase or on sites like Github. HOODOO’s use of GC2 is an example of this trend. Second, the proliferation of tools written in the Go programming language has continued to expand, likely due to the flexibility of the Go language and its convenience for adding and removing module components. Finally, the targeting of Taiwanese media illustrates the continued overlap of public sector threat actors targeting private sector organizations with limited government ties.

The researchers highlighted some key threat trends by China-linked APT groups. First, Chinese threat actors are increasingly using publicly available tooling such as GC2 and. Second, the proliferation of tools written in the Go programming language due to the flexibility of the language that allows to develop cross-platform software. Finally, the attack against the Taiwanese media shows that attackers are also targeting private sector organizations with limited government ties.

The development is notable for two reasons: First, it suggests that Chinese threat groups are increasingly relying on publicly available tooling like Cobalt Strike and GC2 to confuse attribution efforts.

Secondly, it also points to the growing adoption of malware and tools written in the Go programming language, owing to its cross-platform compatibility and its modular nature.

The report also states that cloud services are becoming a privileged target also for nation-state actor and urges organizations to improve enterprise defenses.

“Cloud providers are useful targets for these kind of operations, either as hosts for malware or providing the infrastructure for command-and-control (C2).” continues the report.

The researchers noticed that the most common attack against networks and cloud instances is the account takeover.

“Access to service account credentials can also allow attackers to span across services such as when a GCP
service account is granted domain wide delegation authority to an organization’s Google Workspace
environment.” concludes the report that also includes mitigations.

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

  • The Teacher – Most Educational Blog
  • The Entertainer – Most Entertaining Blog
  • The Tech Whizz – Best Technical Blog
  • Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, APT41)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

3 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

17 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

23 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

This website uses cookies.