Cybercriminals have added another legitimate tool to their arsenal, security researchers are warning – but this time around, it’s a leading open source project from Google that’s being abused.
Cybersecurity researchers from Google’s Threat Analysis Group (TAG) recently revealed (opens in new tab) that Chinese state-sponsored threat actor known as APT41 is using the Google Command and Control (GC2) red teaming tool as they assault organizations around the world.
TAG usually investigates state-sponsored actors, and ATP41 is a known threat actor which we’ve been reporting on for the past three years. Apparently, it has been active since 2014, and in that time, different cybersecurity research groups gave it different names: HOODOO, BARIUM, Winnti, BlackFly, and others.
China strikes again
GC2 is Google’s open source project designed for red teaming activities. Red teaming refers to the practice of challenging plans and systems in a way a threat actor would do it. By red teaming systems, organizations can work past cognitive mistakes such as confirmation bias which can often leave gaping holes in their cybersecurity defenses.
“This program has been developed in order to provide a command and control that does not require any particular set up (like: a custom domain, VPS, CDN, …) during Red Teaming activities,” it says in GC2’s GitHub repository.
“Furthermore, the program will interact only with Google’s domains (*.google.com) to make detection more difficult.”
As per TAG, APT41 used GC2 during phishing attacks against two targets, one of which is a media company in Taiwan.
“In October 2022, Google’s Threat Analysis Group (TAG) disrupted a campaign from HOODOO, a Chinese government-backed attacker also known as APT41, that targeted a Taiwanese media organization by sending phishing emails that contained links to a password protected file hosted in Drive,” the company’s report claims.
“The payload was an open source red teaming tool called “Google Command and Control” (GC2).”
The second target was a job search website from Italy. The researchers claim APT 41 tried to use the tool to deploy additional malware to target endpoints (opens in new tab), without detailing which malware, exactly.
Via: BleepingComputer (opens in new tab)