The advanced persistent threat known as APT41 has pressed into service an open source, red-teaming tool, Google Command and Control (GC2), for use in cyber espionage attacks marking a shift in its tactics.
According to the Google Threat Analysis Group (TAG) team, the APT41 group, also known as HOODOO, Winnti, and Bronze Atlas, recently targeted a Taiwanese media organization with phishing emails which contained links to a password protected file hosted in Drive.
When the file was opened, it fetched the GC2 payload. As detailed in the TAG April Threat Horizons report, this tool gets its commands from Google Sheets, most likely to hide the malicious activity, and exfiltrates data to Google Drive. The GC2 tool also enables the attacker to download additional files from Drive on to the victim's system.
APT41 also previously used GC2 last July to target an Italian job search website, according to TAG.
TAG researchers noted that incidents such as this highlight several trends by China-affiliated threat actors, such as using publicly available tooling, the proliferation of tools written in the Go programming language, and the targeting of Taiwanese media.
Using Publicly Available Tools
Chinese APT groups have increasingly used publicly available (and legitimate) tools such as Cobalt Strike and other penetration testing software, which is available on sites like GitHub; there's also been a shift to using lesser-known red teaming tools such as Brute Ratel and Sliver to evade detection during their attacks.
The use of such "living off the land" tactics is well known in financially motivated cyberattackers, but less so among APTs that are better resourced and can develop custom tools. Yet Christopher Porter, head of threat intelligence for Google Cloud, said in the report that it is "only prudent to consider that state-sponsored cyber threat actors may steal from the playbooks of cybercriminals to target such systems."
He adds, "A familiar domain name disarms many of the natural defenses we all have when viewing a suspicious email, and the degree to which it is trusted will often be hard coded into security systems screening for spam or malware,” he says. He also flagged the use of cloud services for stealth and legitimacy: "Cloud providers are useful targets for these kinds of operations, either as hosts for malware or providing the infrastructure for command-and-control."
Who Is APT41?
The group's activities illustrate the "continued overlap of public sector threat actors targeting private sector organizations with limited government ties," according to the TAG analysis.
Last year the same group was discovered deploying the Spyder Loader malware as part of an ongoing campaign to gather intelligence information on government organizations in Hong Kong, as well as targeting multiple US government agencies using the Log4j vulnerability.
Bronze Atlas is "one of the most prolific groups we have been tracking for a long time," says Marc Burnard, senior security researcher for Secureworks' Counter Threat Unit, having tracked it since at least 2007. And during that time, the group "has been very prolific," he says.
Burnard says APT41 has gone after a range of targets, including government, healthcare, high-tech manufacturing, telcos, aviation, non-governmental organizations (NGOs), and targets in line with China's political and economic interests.
"They are primarily focused on stealing intellectual property, and they have also been involved in targeting political intelligence as well," he notes.
Asked why this particular Taiwanese media company would be targeted, Burnard admits there could be several reasons, including the China-Taiwan political situation, a goal of using the victim to target other organizations and individuals, or there could be a "destructive element" too.
APT41 Quiets Down Its Wall of Noise
As mentioned, the TAG report found that the attackers sent phishing emails to the victim containing links to legitimate cloud services in order to avoid detection — links to a trusted cloud service don't set off email filters. Burnard points out that this is part of a style change for the group, as up until the last few years it was quite noisy in its attacks, and not too worried about the activity being detected.
However, since the 2020 indictment of seven alleged cybercriminals, which reportedly included members of APT41, the activity has been more stealthy and Burnard says the APT is now moving towards using legitimate tools like Cobalt Strike, and towards cloud services, to hide their intent and activity.