A Chinese state group targeted an unnamed Taiwanese media organization with an open-source red teaming tool known as Google Command and Control (GC2) in the widespread exploitation of Google’s infrastructure for malicious purposes.
Technology giant Threat Analysis Group (TAG) attributed this campaign to threat actors tracking it with geological and geographically themed monikers. HoodooAlso known as APT41, Barium, Bronze Atlas, Wicked Panda and Winnti.
The starting point of the attack is a phishing email containing a link to a password-protected file hosted on Google Drive. It incorporates a GC2 tool that reads commands from Google Sheets and uses cloud storage services to exfiltrate data.
“After being installed on the victim’s machine, the malware queries Google Sheets to obtain the attacker’s commands,” said Google’s cloud division. Said In the 6th Annual Threat Horizon Report. “In addition to exfiltration through the drive, GC2 allows the attacker to download additional files from the drive onto the victim’s system.”
According to Google, attackers used the same malware to target an Italian job search site in July 2022.
This development is notable for two reasons. The first suggests that Chinese threat groups are increasingly relying on publicly available tools such as his Cobalt Strike and GC2 to disrupt attribution efforts.
Second, it also notes the increasing adoption of malware and tools written in the Go programming language. This is due to the Go programming language’s cross-platform compatibility and its modularity.
Google further said the “undeniable value of cloud services” has made it a lucrative target for cybercriminals and government-backed actors “as a host for malware or as a provider of command and control (C2) infrastructure.” I warned you.
Master the Art of Dark Web Intelligence Gathering
Learn the art of extracting threat intelligence from the dark web – join us for this expert-led webinar!
A good example is the use of Google Drive to store malware such as Ursnif (aka Gozi) and DICELOADER (aka Lizar or Tirion) in the form of ZIP archive files as part of various phishing campaigns.
“The most common vector used to compromise networks, including cloud instances, is to take over account credentials directly, either because there are no passwords as in some default configurations, or because credentials are leaked or compromised. Either it’s reused or it’s generally very weak, as you can guess,” said Christopher Porter of Google Cloud.
The findings come three months after Google Cloud disclosed details of APT10 (also known as Bronze Riverside, Cicada, Potassium, and Stone Panda), which targeted cloud infrastructure and VPN technology to compromise enterprise environments. , indicating that you have stolen data of interest.