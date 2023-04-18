A Chinese national group has targeted an unspecified Taiwanese media organization to distribute an open source red teaming tool known as Google Command and Control (GC2) amid wider use of Google’s infrastructure for malicious purposes.

GC2, here’s what it is and how it’s been used

The tech company’s Threat Analysis Group (TAG) attributed the campaign to a menacing actor following under thematic name geological and geographic of HOODOO, which is also known by the names APT41 (which we have already talked about here), Barium, Bronze Atlas, Wicked Panda and Winnti.

The initiation of the attack is via a phishing email that contains links to a password protected file hosted on Google Drive, which in turn incorporates the GC2 tool to read commands from Google Sheets and exfiltrate the data using the cloud storage service.

“After installing on the victim’s machine, the malware queries Google sheets to obtain the attacker’s commands“, has stated Google’s cloud division in its sixth Threat Horizons Report. “In addition to exfiltration via Drive, GC2 allows the attacker to download additional files from Drive onto the victim’s system“.

Google said the same malware was previously used by attackers in July 2022 to target an Italian job search website.

The fact is relevant for two reasons: First, it suggests that Chinese threat groups are increasingly relying on publicly available tools like Cobalt Strike and GC2 to confuse attribution efforts.

Furthermore, this also points to the growing adoption of malware and tools written in the programming language gothanks to its multi-platform compatibility and modular nature.

Google also warned that the “indisputable value of cloud services” has made them a lucrative target for cybercriminals and government-backed actors, “both as a host for malware and by providing the infrastructure for command-and-control (C2).”

One example is using Google Drive to store malware like Ursnif (aka Gozi) and DICELOADER (also known as Lizar or Tirion) in the form of ZIP archive files as part of disparate phishing campaigns.

“The vector [di infezione] most common used to compromise any network, including cloud instances, is to directly grab an account’s credentials: either because there is no password, as in some default configurations, or because a credential has been leaked or laundered or so weak as to be easily guessedGoogle Cloud’s Christopher Porter said.

The findings come three months after Google Cloud described APT10 (aka Bronze Riverside, Cicada, Potassium or Stone Panda) targeting cloud infrastructure and VPN technologies to breach corporate environments and exfiltrate data of interest.

