The Chinese language state-sponsored hacking group APT41 was discovered abusing the GC2 (Google Command and Management) purple teaming device in information theft assaults towards a Taiwanese media and an Italian job search firm.

APT 41, also referred to as HOODOO, is a Chinese language state-sponsored hacking group identified to focus on a variety of industries within the USA, Asia, and Europe. Mandiant has been tracking the hacking group since 2014, saying its actions overlap with different identified Chinese language hacking teams, corresponding to BARIUM and Winnti.

In Google’s April 2023 Risk Horizons Report, launched final Friday, safety researchers in its Risk Evaluation Group (TAG) revealed that APT41 was abusing the GC2 purple teaming device in assaults.

GC2, also referred to as Google Command and Management, is an open-source challenge written in Go that was designed for purple teaming actions.

“This program has been developed so as to present a command and management that doesn’t require any explicit arrange (like: a customized area, VPS, CDN, …) throughout Purple Teaming actions,” reads the challenge’s GitHub repository.

“Moreover, this system will work together solely with Google’s domains (*.google.com) to make detection tougher.”

The challenge consists of an agent that’s deployed on compromised units, which then connects again to a Google Sheets URL to obtain instructions to execute.

These instructions trigger the deployed brokers to obtain and set up extra payloads from Google Drive or exfiltrate stolen information to the cloud storage service.

GC2 abused in assaults

In response to Google’s report, TAG disrupted an APT41 phishing assault towards a Taiwanese media firm that tried to distribute the GC2 agent via phishing emails.

“In October 2022, Google’s Risk Evaluation Group (TAG) disrupted a marketing campaign from HOODOO, a Chinese language government-backed attacker also referred to as APT41, that focused a Taiwanese media group by sending phishing emails that contained hyperlinks to a password protected file hosted in Drive,” defined the Google Threat Horizons report.

“The payload was an open supply purple teaming device known as “Google Command and Management” (GC2).”

Google says that APT41 additionally used GC2 in assaults towards an Italian job search web site in July 2022.

Utilizing the agent, Google says that the menace actors tried to deploy extra payloads on the gadget and exfiltrate information to Google Drive, as illustrated within the assault workflow under.

Whereas it isn’t identified what malware was distributed in these assaults, APT41 is understood to deploy all kinds of malware on compromised methods.

A 2019 Mandiant report explains that the menace actors make the most of rootkits, bootkits, customized malware, backdoors, Level of Sale malware, and even ransomware in an remoted incident.

The menace actors have additionally been identified to deploy the Winnti malware and the China Chopper internet shell, instruments generally utilized by Chinese language hacking teams, and Cobalt Strike for persistence in compromised networks.

In 2020, the Division of Justice indicted three Chinese nationals believed to be a part of APT41 for conducting provide chain assaults [CCleaner, ShadowPad, ShadowHammer], information theft, and breaches towards nations worldwide.

BleepingComputer contacted Google to study extra concerning the payloads they noticed in these assaults, however a response was not instantly out there.

A shift to reputable instruments

APT41’s use of GC2 is one other indicator of a pattern of menace actors shifting to reputable purple teaming instruments and RMM platforms as a part of their assaults.

Whereas the use of Cobalt Strike in attacks has been widespread for years, it has additionally led to important investments into detecting it in assaults, making it extra simply noticed by defenders.

Resulting from this, menace actors have began to shift to different purple teaming instruments, corresponding to Brute Ratel and Sliver, to evade detection throughout their assaults.

Extra just lately, ransomware gangs have begun abusing the Action1 distant monitoring and administration (RMM) device for persistence on compromised networks and to execute instructions, scripts, and binaries.  

Sadly, as with all device that may assist purple teamers conduct workouts or for admins to handle a community remotely, they’ll equally be abused by menace actors in their very own assaults.