HQ/EMEAFind out how we can help your business
APT41, a China-backed hacking group, was discovered using GC2 or the Google Command and Control red teaming tool in its data theft campaign against an Italian job search company and Taiwan-based media corporation.
This threat group is also notorious for its name HOODOO, a Chinese state-backed hacking gang targeting various industries on multiple continents. Based on reports, the hacking group has been active since nearly a decade ago and allegedly overlaps with other Chinese hackers like Winnti and Barium.
Google’s latest report earlier this month showed that APT41 is leveraging their GC2 read teaming tool for malicious campaigns. GC2 is an open-source project coded in the Go language that could aid red teaming activities.
The GC2 is a program that could allow its users to set up activities without requiring any setups.
Researchers explained that the developers of GC2 generated the tool to provide command-and-control software that does not need specific setups such as VPS, CDN, and custom domain during Red Teaming activities.
In addition, the program will exclusively interact with Google’s domains like “google[.]com” to make detection more challenging. The project contains an agent the attackers use on infected devices, which then connects back to a Google Sheets URL to receive commands.
These commands cause the launched agents to download and install more payloads from Google Drive or exfiltrate stolen information to the cloud storage service. In the latest report from Google’s TAG team, they have interrupted an APT41 phishing attack against a Taiwanese media company that tried to disseminate the GC2 agent through phishing attacks.
Furthermore, Google revealed that the Chinese-backed hacker group used GC2 in attacking an Italian job search website in July last year.
Google explained that the threat actors used the agent to launch additional payloads on the device, harvest data, and send it to Google Drive. APT41 is notorious for deploying various malware strains on compromised systems, but the latest events have not shown what malware the group used for executing their attacks.
Researchers advise organisations to be vigilant with these threats as it is a new technique for cybercriminals.
