TOUGHPROGRESS Malware
Researchers have uncovered that the Chinese state-sponsored threat actor, APT41, is leveraging a newly identified malware called TOUGHPROGRESS. This sophisticated malware employs the Google Calendar as a Command-and-Control (C2) channel, allowing APT41 to blend unsafe activity with legitimate traffic.
Table of Contents
The Discovery of a Stealthy Campaign
The activity was first detected in late October 2024, with TOUGHPROGRESS hosted on a compromised government website. It was specifically deployed to target other government entities, taking advantage of cloud services to mask its operations and evade detection.
APT41: A Familiar Foe
The APT41, also tracked as Axiom, Blackfly, Brass Typhoon (formerly Barium), Bronze Atlas, Earth Baku, HOODOO, RedGolf, Red Kelpie, TA415, Wicked Panda, and Winnti, is a notorious nation-state group known for its attacks on global shipping, logistics, media, technology and automotive sectors.
In July 2024, APT41 targeted multiple organizations in Italy, Spain, Taiwan, Thailand, Turkey, and the U.K. using a combination of Web shells and droppers like ANTSWORD, BLUEBEAM, DUSTPAN and DUSTTRAP. Earlier, in March 2024, a subgroup within APT41 targeted Japanese companies in manufacturing, materials, and energy sectors as part of a campaign known as RevivalStone.
A Deceptive Attack Chain
The latest documented attack chain begins with spear-phishing emails delivering a link to a ZIP archive hosted on the compromised government site. Inside the ZIP file is a directory and a Windows shortcut (LNK) disguised as a PDF document. The directory appears to contain seven images of arthropods ('1.jpg' to '7.jpg').
The infection starts when the victim clicks the LNK, triggering a decoy PDF that claims the species listed must be declared for export. However, '6.jpg' and '7.jpg' are fake images. In reality, the first file is an encrypted payload, decrypted by a second file, a DLL that executes when the LNK is activated. The malware uses stealth tactics like memory-only payloads, encryption, compression, and control flow obfuscation to avoid detection.
The Three Stages of Malware Deployment
The malware consists of three distinct components, each performing a crucial role:
- PLUSDROP: A DLL that decrypts and executes the next stage in memory.
- PLUSINJECT: Conducts process hollowing on a legitimate 'svchost.exe' process to inject the final payload.
- TOUGHPROGRESS: The main malware, which leverages Google Calendar for C2.
Exploiting Google Calendar for Command and Control
TOUGHPROGRESS interacts with an attacker-controlled Google Calendar to read and write events, storing harvested data in event descriptions with zero-minute events set to a hard-coded date (2023-05-30). Encrypted commands placed in Calendar events on July 30 and 31, 2023, are polled by the malware, decrypted, executed on the compromised host. The results are written back to the Calendar for the attackers to retrieve.
Google Takes Action
Google has intervened by removing the fraudulent Google Calendar and terminating associated Workspace projects, effectively dismantling this malicious infrastructure. Affected organizations have been alerted, but the full extent of the campaign remains unknown.
APT41’s History of Cloud Abuse
This incident isn't the first time APT41 has manipulated Google's services for malicious purposes. In April 2023, APT41 targeted a Taiwanese media organization, delivering the Google Command and Control (GC2) tool via password-protected files on Google Drive. Once deployed, GC2 allowed attackers to read commands from Google Sheets and exfiltrate data using Google Drive.
