“The Chinese state-sponsored hacking group APT41 was found abusing the GC2 (Google Command and Control) red teaming tool in data theft attacks against a Taiwanese media and an Italian job search company. APT 41, is a Chinese state-sponsored hacking group known to target a wide range of industries in the USA, Asia, and Europe. Mandiant has been tracking the hacking group since 2014, saying its activities overlap with other known Chinese hacking groups, such as BARIUM and Winnti” (Bleeping Computer, 2023).

Google released details on the activity in their April 2023 Threat Horizons Report. GC2 is an open-source Command and Control project written in Go, that is designed for red teaming activities. GC2 does not require any particular set up like custom domains, VPS, or CDNs, which makes it easy to deploy. The program will only interact with Google’s domains which can make detection more difficult.

Analyst comments:
GC2 consists of an agent that must be installed on a compromised device. This in turn, will connect back to a Google Sheet which receives commands to execute. Using these commands, the agent will download and install additional payloads from Google Drive, or exfiltrate stolen data to the cloud service.

According to Google's report, TAG disrupted an APT41 phishing attack against a Taiwanese media company that attempted to distribute the GC2 agent through phishing emails. "In October 2022, Google's Threat Analysis Group (TAG) disrupted a campaign from HOODOO, a Chinese government-backed attacker also known as APT41, that targeted a Taiwanese media organization by sending phishing emails that contained links to a password protected file hosted in Drive," explained the Google Threat Horizons report. Google says that APT41 also used GC2 in attacks against an Italian job search website in July 2022.

The threat actors, using GC2, were able to deploy additional payloads on an infected device to exfiltrate data back to an attacker controlled Google Drive. It is still unclear how the malware was distributed in these attacks, but APT41 is known to use just about any techniques to deliver malware on compromised systems. In the past, the group has utilized rootkits, bootkits, custom malware, backdoors, Point of Sale malware, and even ransomware. According to Bleeping Computer, The threat actors have also been known to deploy the Winnti malware and the China Chopper web shell, tools commonly used by Chinese hacking groups, and Cobalt Strike for persistence in compromised networks.

APT41 has an extensive history of high profile attacks. In 2020, the Department of Justice indicted three Chinese nationals believed to be part of APT41 for conducting supply chain attacks [CCleaner, ShadowPad, ShadowHammer], data theft, and breaches against countries worldwide. In this campaign, CCleaner, a free virus removal tools, was infected to include malware when users downloaded it from legitimate sources.

APT41's use of GC2 is another indicator of a trend of threat actors moving to legitimate red teaming tools and RMM platforms as part of their attacks. While the use of Cobalt Strike in attacks has been widespread for years, it has also led to significant investments into detecting it in attacks, making it more easily spotted by defenders. Due to this, threat actors have started to shift to other red teaming tools, such as Brute Ratel and Sliver, to evade detection during their attacks.

Mitigation:
APT41 has used various techniques for initial access:

• APT41 sent spearphishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims.
• APT41 has performed password brute-force attacks on the local admin account.
• APT41 has obtained and used tools such as Mimikatz, pwdump, PowerSploit, and Windows Credential Editor.
• APT41 has used hashdump, Mimikatz, and the Windows Credential Editor to dump password hashes from memory and authenticate to other user accounts.
• APT41 exploited CVE-2020-10189 against Zoho ManageEngine Desktop Central, and CVE-2019-19781 to compromise Citrix Application Delivery Controllers (ADC) and gateway devices.
• APT41 leveraged the follow exploits in their operations: CVE-2012-0158, CVE-2015-1641, CVE-2017-0199, CVE-2017-11882, and CVE-2019-3396.
• APT41 compromised an online billing/payment service using VPN access between a third-party service provider and the targeted payment service.
• APT41 has used a keylogger called GEARSHIFT on a target system.
• APT41 attempted to masquerade their files as popular anti-virus software.
• APT41 has used a ransomware called Encryptor RaaS to encrypt files on the targeted systems and provide a ransom note to the user.
• APT41 deployed Master Boot Record bootkits on Windows systems to hide their malware and maintain persistence on victim systems.
• APT41 used RDP for lateral movement.

While it is currently unclear how APT41 is distributing the malware agent, users should follow phishing best practices.

• Do not open emails or download software from untrusted sources
• Do not click on links or attachments in emails that come from unknown senders
• Do not supply passwords, personal, or financial information via email to anyone (sensitive information is also used for double extortion)
• Always verify the email sender's email address, name, and domain
• Backup important files frequently and store them separately from the main system
• Protect devices using antivirus, anti-spam and anti-spyware software
• Report phishing emails to the appropriate security or I.T. staff immediately

Source: https://www.bleepingcomputer.com/ne...command-and-control-red-team-tool-in-attacks/:
PDF:
https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf