We will be happy to advise you!

Hotline:
+49 (0) 40 38 90 710

E-mail:
info@secion.de

Contact form

Chinese hacker group APT41 misuses Google Command and Control (GC2) tool for attacks

by

Image source: Google

Reading time: minutes ( words)
Google experts warn of cyberattacks by Chinese hacking group APT41

Google experts warn that the state-sponsored Chinese hacking group APT41 is misusing the Google Command and Control (GC2) tool. Attacks on Taiwanese media companies and an unnamed Italian recruitment company are known. Google Command and Control is an open-source program written in the Go programming language that was developed to simulate attacks and is used in Red Teaming.

APT 41 (also known as HOODOO) is a Chinese state-sponsored hacking group known for attacking a variety of industries in the US, Asia and Europe. In the past, their activities have been found to overlap with those of other well-known Chinese hacker groups such as BARIUM and Winnti.

GC2 designed for red-team operations

Google Command and Control is designed to provide management and control during a Red Team operation that does not require any specific configuration (e.g. custom domain, VPS, CDN, etc.). The programme interacts exclusively with Google domains (*.google.com) to make it difficult to expose.  

GC2 should only be used by legitimate security professionals and Red Teams, with the goal of identifying and fixing vulnerabilities in systems.

Mode of operation: GC2 is installed as an agent on compromised devices. It allows an attacker to execute commands via Google Sheet on the target machine and install, download additional payloads from Google Drive or exfiltrate stolen data into the cloud storage service.


Source: Google

GC2 abused for attacks - and foiled

Although it is not known what malware was distributed in these attacks, the APT41 group is known to install a variety of malware on compromised systems, including rootkits, bootkits, Winnti malware, backdoors, Cobalt Strike or point-of-sale malware, in short tools commonly used by Chinese hacker groups.

Switching to legitimate tools

The use of GC2 by APT41 is another indicator of the trend for hacker groups to use legitimate, freely available and open-source tools and remote monitoring and management (RMM) platforms in their attacks to make attribution more difficult.

One reason for this is that Cobalt Strike is becoming easier to spot in attack patterns.

Conclusion:

Companies should therefore remain vigilant and ensure the necessary awareness and targeted monitoring of their environment. Test your detection strategies and response processes.

Need help upgrading your IT security for 2023? Contact us!

By clicking on the "Submit" button, you confirm that you have read our privacy policy. You give your consent to the use of your personal data for the purpose of contacting you by Allgeier secion, Zweigniederlassung der Allgeier CyRis GmbH.

* Mandatory field

Go back

Related articles

QakBot malware: Warning of increasing attacks

Warning of rising attacks with QakBot malware

For several days now, there has been a strong accumulation of successful compromises by the "QakBot" malware (also known as "QBot" and "QuackBot") worldwide. We have also already identified successful attacks as part of our ACD monitoring. After infection, criminals can gain access to online banking accounts, leak user data, and reload further malware. As one measure to mitigate the risk, we urgently recommend adjustments to the Group Policy Objects (GPO).

New ransomware trend: Why criminals increasingly rely on intermittent encryption

Intermittent encryption: the new ransomware trend

Cybercriminals are true masters at constantly adapting their attack mechanisms to effective IT security measures. New tools and iterative changes to existing malware are used to mercilessly exploit security vulnerabilities. Among the numerous threats, ransomware stands out as one of the biggest. More and more companies have to face extortion Trojans. A completely new threat called LockFile now relies on intermittent encryption. LockFile not only encrypts much faster than previous ransomware, but also bypasses security solutions that work reliably. This article shows why criminals are increasingly relying on intermittent encryption and how companies should react to the new threat.

secion's assessment of the security threats to companies following the outbreak of the war in Ukraine

How the Ukraine war affects corporate IT security

Due to the war in Ukraine, secion provides an assessment of the threat situation for companies and examines the question of whether increased Russian attacks on companies in Germany, Austria and Switzerland can be identified. There is currently no evidence of an acute increase in the threat posed by Russian state actors in Western Europe, but there is increased public awareness of these cyberattacks. In addition, "third-party actors" are creating a new dynamic.