Google Discloses Use of APT41 Open Source GC2 Tool to Target Media and Job Sites
China’s nation-state group targeted an unnamed Taiwanese media organization for delivering an open-source red cooperation tool known as Google Command and Control (GC2) amid the broader misuse of Google’s infrastructure for nefarious purposes.
The tech giant’s Threat Analysis Group (TAG) linked the campaign to the threat actors it tracks under the geological and geographic themed moniker. UNLUCKYwhich is also known as APT41, Barium, Bronze Atlas, Wicked Panda, and Winnti.
The starting point of the attack was a phishing email containing a link to a password protected file hosted on Google Drive, which, in turn, incorporated the GC2 tool to read commands from Google Sheets and extract data using cloud storage services.
“Once installed on the victim’s machine, the malware asks Google Sheets to get the attacker’s commands,” Google’s cloud division said said in its sixth Threat Horizon Report. “In addition to exfiltration through the Drive, GC2 allows an attacker to download additional files from the Drive onto the victim’s system.”
Google said a previous threat actor used the same malware in July 2022 to target an Italian job search site.
This development is important for two reasons: First, it shows that Chinese threat groups are increasingly relying on publicly available tools like Cobalt Strike and GC2 to undermine attribution efforts.
Second, it also demonstrates the increasing adoption of malware and tools written in the Go programming language, due to its cross-platform compatibility and modular nature.
Google further warns that the “undeniable value of cloud services” has made them lucrative targets for cybercriminals and government-backed actors, “whether as hosts for malware or providing infrastructure for command-and-control (C2).”
Master the Art of Dark Web Intelligence Gathering
Learn the art of extracting threat intelligence from the dark web – Join this expert-led webinar!
Case in point is the use of Google Drive to store malware like Ursnif (aka Gozi) and DICELOADER (aka Lizar or Tirion) in the form of ZIP archive files as part of a different phishing campaign.
“The most common vector used to compromise any network, including cloud instances, is directly appropriating account credentials: either because there is no password, as some default configurations do, or because credentials have been leaked or recycled or are generally very weak. predictable,” said Christopher Porter of Google Cloud.
The findings come three months after Google Cloud detailed APT10 (aka Bronze Riverside, Cicada, Potassium, or Stone Panda) that targets cloud infrastructure and VPN technology to penetrate enterprise environments and extract data of interest.