Google Flags Cyber Espionage Campaign: TOUGHPROGRESS Malware Abuses Calendar for Stealthy C2

Google’s Threat Intelligence Group (GTIG) has identified a sophisticated malware operation attributed to APT41, also known as HOODOO, a threat actor associated with the People’s Republic of China.

The campaign, uncovered in late October 2024, involves the deployment of a novel malware family dubbed “TOUGHPROGRESS,” notable for its innovative abuse of Google Calendar as a covert channel for command and control (C2) communications.

Infection Chain

The attack begins with a targeted spear-phishing email campaign, wherein malicious actors sent links to a ZIP archive hosted on a compromised government site.

The archive includes a disguised LNK file and a directory filled with apparent image files.

However, two of these files, “6.jpg” (an encrypted payload) and “7.jpg” (a DLL acting as the loader), serve a dual purpose: after execution through the LNK file, the loader decrypts and runs the payload in memory, all while displaying a benign PDF decoy to distract the user.

TOUGHPROGRESS follows a modular infection chain involving three stages PLUSDROP, PLUSINJECT, and the final TOUGHPROGRESS payload.

The first module, PLUSDROP, decrypts and loads the subsequent stage in memory, while PLUSINJECT leverages process hollowing by injecting the main payload into a legitimate Windows svchost.exe process.

This highly evasive approach utilizes memory-only payloads, layered encryption, compression, and advanced process obfuscation, complicating detection and analysis.

At its core, TOUGHPROGRESS employs sophisticated technical measures to evade analysis and resist reverse engineering.

The malware uses a hardcoded 16-byte XOR key to decrypt embedded shellcode, which then decompresses a DLL using LZNT1 compression directly into memory.

Its codebase is heavily obfuscated, incorporating techniques such as register-based indirect calls, dynamic address arithmetic with 64-bit register overflows, and function dispatch tables, making static code analysis and control flow reconstruction particularly challenging.

Calendar-Based C2 Mechanism

What sets TOUGHPROGRESS apart is its exploitation of Google Calendar as an exfiltration and command channel.

After infecting a system, the malware creates zero-minute calendar events at hardcoded dates starting with 2023-05-30 to transmit encrypted host data in the event descriptions.

The attackers issue encrypted commands by updating events set for future dates (e.g., 2023-07-30 and 2023-07-31), which the malware then polls, decrypts, and executes locally.

Command results are similarly encrypted and uploaded back via new calendar events, leveraging Google’s legitimate infrastructure to blend malicious activity with normal user traffic and evade traditional detection mechanisms.

The encryption routine itself employs a layered XOR-based mechanism, with message compression and encryption keys appended to event headers, further complicating automated analysis and detection.

According to the Report, Google’s GTIG, in conjunction with Mandiant FLARE, acted promptly to disrupt the campaign by developing detection signatures, disabling attacker-controlled calendar resources, terminating malicious Workspace projects, and updating their Safe Browsing blocklists to cover associated domains and URLs.

At-risk organizations were notified with forensic data and technical indicators to assist in response efforts.

This campaign continues a pattern of APT41 leveraging free and legitimate cloud services for malware distribution and control, including prior abuse of Google Sheets, Drive, and third-party hosting platforms such as Cloudflare Workers and InfinityFree.

Google emphasizes the importance of vigilance and robust detection especially as adversaries increasingly turn to abusing trusted cloud infrastructure for cyber espionage at scale.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!