APT41 Hackers Abuse Google Command and Control Red Teaming Tool

APT41, a hacking group sponsored by the Chinese state, conducted data theft attacks on both a Taiwanese media outlet and an Italian job search firm.

During the attacks, the group was found to be using the GC2 (Google Command and Control) red teaming tool for malicious purposes.

According to the Threat Analysis Group (TAG) of the American tech giant, the recent campaign was carried out by a threat actor known as HOODOO, which they track and associate with various names such as APT41, Barium, Bronze Atlas, Wicked Panda, and Winnti, all with geological or geographical themes.

The Chinese state-sponsored hacking group, HOODOO (also referred to as APT41), is recognized for its targeting of a diverse range of industries in the USA, Asia, and Europe.

The attack typically begins with a phishing email containing links to a password-protected file stored on Google Drive.

This file includes the GC2 tool, which is written in Go and allows the attackers to read commands from Google Sheets and exfiltrate data using the cloud storage service.

According to the project’s GitHub repository.”This program has been developed in order to provide a command and control that does not require any particular setup (a custom domain, VPS, CDN, etc.) during Red Teaming activities.”

According to BleepingComputer, The project involves deploying an agent on compromised devices that connects back to a Google Sheets URL to receive commands to execute.

These commands prompt the agents to download and install additional payloads from Google Drive or to exfiltrate stolen data to the cloud storage service.

The open-source red teaming tool, “Google Command and Control” (GC2), was used as the payload in the attacks.

In July 2022, APT41 targeted an Italian job search website using GC2, according to Google.

The attackers attempted to exfiltrate data to Google Drive and install additional payloads on the compromised device through the agent, as illustrated in the attack workflow provided by Google.

APT41’s utilization of GC2 is another example of a growing trend among threat actors to leverage legitimate red teaming tools and RMM (Remote Monitoring and Management) platforms in their attacks.