APT Hackers Using TOUGHPROGRESS Malware to Exploits Google Calendar for C2 – Google Warns

In a new wave of sophisticated cyberattacks, Google’s Threat Intelligence Group (GTIG) has raised the alarm over a campaign orchestrated the China-linked APT41 (also known as HOODOO).

The attackers are using a custom malware dubbed TOUGHPROGRESS, ingeniously manipulating Google Calendar as its command-and-control (C2) channel—a method that allows them to hide in plain sight within legitimate cloud activity.

Technical Breakdown: The Attack Chain and TOUGHPROGRESS Malware Innovations

The attack initiates via spear-phishing emails, targeting government entities and critical industries worldwide. Victims are lured into downloading a ZIP file from a compromised government website. The archive contains a PDF-masquerading LNK file and several JPG images—two of which (6.jpg and 7.jpg) secretly hold the encrypted payload and a decryption DLL, respectively.

ZIP Archive Structure Example:

text$ unzip -l 出境海關申報清單.zip
Length     Name
---------  -------------------------
 181656    image/5.jpg
 997111    image/6.jpg   # Encrypted payload
 124928    image/7.jpg   # DLL for decryption
 88604     申報物品清單.pdf.lnk  # Malicious shortcut
---------  -------------------------

Upon execution:

• The LNK launches a series of payloads, deploying a sophisticated three-stage infection:
  1. PLUSDROP: Decrypts and loads the next payload entirely in memory.
  2. PLUSINJECT: Employs process hollowing to inject code into a legitimate svchost.exe.
  3. TOUGHPROGRESS: The final malware, orchestrating actions via Google Calendar C2.

Stealth and Evasion: Deep Technical Details

TOUGHPROGRESS is heavily obfuscated to defeat static and dynamic analysis:

• Memory-only Payloads: Stages are never written to disk.
• Custom Encryption: Embedded shellcode uses a hardcoded 16-byte XOR key.
• Process Hollowing: Injects itself into legitimate Windows processes for stealth.
• Control Flow Obfuscation: Uses register-based indirect calls, 64-bit integer overflow, and dynamic arithmetic to mislead reverse engineers.

Obfuscated Function Dispatch Example (Python Simulation):

pythonimport ctypes

# Simulating 64-bit overflow arithmetic to resolve function pointers
addr1 = 0xFFFFFFFFFFFFFF00
addr2 = 0x200
func_addr = (addr1 + addr2) & 0xFFFFFFFFFFFFFFFF  # Overflows to function location
CreateThread = ctypes.CFUNCTYPE(None)(func_addr)

Command-and-Control Channel Using Google Calendar

TOUGHPROGRESS exploits Google Calendar’s API to establish a covert C2 channel:

• On compromise, it creates a zero-minute Calendar event at a hardcoded date (e.g., 2023-05-30).
• Harvested data from the victim is encrypted and written into the event description.
• The attacker commands are similarly published in Calendar events (e.g., 2023-07-30, 2023-07-31), which the malware polls, decrypts, and executes. Exfiltrated results are returned through new events.

TOUGHPROGRESS C2 Encryption Workflow:

1. Compress message with LZNT1.
2. Encrypt with a per-message 4-byte XOR key.
3. Append this key to a 10-byte header, then encrypt the header with another hardcoded key.
4. Prepend encrypted header to message—this blob becomes the Calendar event’s description.

C2 Pseudocode :

pythondef encrypt_message(msg, key_4b, key_10b):
    compressed = compress_lznt1(msg)
    encrypted_msg = xor(compressed, key_4b)
    header = key_4b + (some_metadata)
    encrypted_header = xor(header, key_10b)
    return encrypted_header + encrypted_msg  # Written to Calendar event

Google’s Incident Response and Mitigation Efforts

GTIG, in collaboration with Mandiant Consulting, has developed robust detection signatures, terminated attacker-controlled Google Workspace and Calendar infrastructure, and updated Safe Browsing blocklists. All identified malicious domains, URLs, and compromised cloud projects have been neutralized.

Key Indicators of Compromise (IOCs):

• ZIPs containing LNK masquerading as PDFs and JPGs (payload containers)
• Google Calendar API event access at abnormal intervals and suspicious dates
• Use of cloud hosting and shorteners for payload delivery (e.g., TryCloudflare, InfinityFree)

APT41’s exploitation of Google Calendar for command-and-control exemplifies the evolving threat landscape, where trusted cloud services are repurposed to bypass traditional security controls.

Google urges organizations to review their cloud activity logs, scan for associated IOCs, and employ robust endpoint detection to stay ahead of such highly creative and stealthy adversaries.