In Google’s April 2023 Threat Horizons Report, security researchers in its Threat Analysis Group revealed that APT41 has been abusing the open-source GC2 red teaming tool in malware attacks.
The threat campaign interacts only with Google’s domains making it harder to detect, and it consists of an agent that is deployed on compromised devices, which then connects back to a Google Sheets URL to receive commands to execute.
These commands cause the deployed agents to download and install additional payloads from Google Drive or exfiltrate stolen data to the cloud storage service.
APT41’s use of GC2 is another indicator of a trend of threat actors using well intentioned, legitimate red teaming tools and RMM platforms as part of their attacks.
Matt Mullins, Senior Security Researcher, Cybrary provided this comment:
“APT41’s use of GC2 is a shift into using more novel and off-the-shelf modern open-source projects. While most of the APT pool still relies on certain tried-and-true approaches (such as using PowerShell and macros), this change up of tactics shows a willingness to change approaches with the time. The GC2 program isn’t anything revolutionary to the Red Team community as the utilization of covert channels as a non-standard C2 is something that good Red Teams have been organically developing for years now.
“The tool, which uses Google’s trusted domains and applications, allows for the masquerading of legitimacy. This approach exposes an Achilles heel to using major providers like Google and Microsoft-enterprises essentially have to whitelist all domains and subdomains associated with these companies. By doing so, any service that can be abused is a free hall pass for attackers. I have personally used this on my own operations before and can say that it leaves even the best defenders blind to C2 communications.
“The application also uses Go, which is a Google language (for extra insult), and in a similar vein it is a known compiled language to Red Teams. Go provides nice cross-compatibility with less robust detection maturity in most organizations. All of this makes for a great initial malware payload!
“Times are changing and so are APT groups. As we see more research and development done by Red Teams, we will see more advanced vectors and approaches like this. Defenders need to make sure they have validated their detections, their detections are robust, and that we have security at all layers (instead of depending on one product or tool to save us). Above all else, having a good Red Team will help your Blue Team train up to defend against advanced threats like this! Investing into a good offensive security program for ANY organization will pay exponentially in the long run.”
Christopher Peacock, Principal Detection Engineer, SCYTHE followed up with this comment:
“In this day and age, free and open-source hacking software is just that, hacking software. Any interesting capability posted publicly to GitHub will inevitably be used maliciously regardless of the projects’ intentions, licensing, or disclaimer.”
Clearly threat actors are becoming more and more dangerous by using tools to create even more novel and dangerous attacks. That means that those of us who are tasked with defending against these attacks need to work harder than ever to make sure that these attacks never succeed.
Like this:
Like Loading...
Related
This entry was posted on April 19, 2023 at 11:00 am and is filed under Commentary with tags Google. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Yikes! Open Source Red Team Tool Used By Hackers In Malware Attacks
In Google’s April 2023 Threat Horizons Report, security researchers in its Threat Analysis Group revealed that APT41 has been abusing the open-source GC2 red teaming tool in malware attacks.
The threat campaign interacts only with Google’s domains making it harder to detect, and it consists of an agent that is deployed on compromised devices, which then connects back to a Google Sheets URL to receive commands to execute.
These commands cause the deployed agents to download and install additional payloads from Google Drive or exfiltrate stolen data to the cloud storage service.
APT41’s use of GC2 is another indicator of a trend of threat actors using well intentioned, legitimate red teaming tools and RMM platforms as part of their attacks.
Matt Mullins, Senior Security Researcher, Cybrary provided this comment:
“APT41’s use of GC2 is a shift into using more novel and off-the-shelf modern open-source projects. While most of the APT pool still relies on certain tried-and-true approaches (such as using PowerShell and macros), this change up of tactics shows a willingness to change approaches with the time. The GC2 program isn’t anything revolutionary to the Red Team community as the utilization of covert channels as a non-standard C2 is something that good Red Teams have been organically developing for years now.
“The tool, which uses Google’s trusted domains and applications, allows for the masquerading of legitimacy. This approach exposes an Achilles heel to using major providers like Google and Microsoft-enterprises essentially have to whitelist all domains and subdomains associated with these companies. By doing so, any service that can be abused is a free hall pass for attackers. I have personally used this on my own operations before and can say that it leaves even the best defenders blind to C2 communications.
“The application also uses Go, which is a Google language (for extra insult), and in a similar vein it is a known compiled language to Red Teams. Go provides nice cross-compatibility with less robust detection maturity in most organizations. All of this makes for a great initial malware payload!
“Times are changing and so are APT groups. As we see more research and development done by Red Teams, we will see more advanced vectors and approaches like this. Defenders need to make sure they have validated their detections, their detections are robust, and that we have security at all layers (instead of depending on one product or tool to save us). Above all else, having a good Red Team will help your Blue Team train up to defend against advanced threats like this! Investing into a good offensive security program for ANY organization will pay exponentially in the long run.”
Christopher Peacock, Principal Detection Engineer, SCYTHE followed up with this comment:
“In this day and age, free and open-source hacking software is just that, hacking software. Any interesting capability posted publicly to GitHub will inevitably be used maliciously regardless of the projects’ intentions, licensing, or disclaimer.”
Clearly threat actors are becoming more and more dangerous by using tools to create even more novel and dangerous attacks. That means that those of us who are tasked with defending against these attacks need to work harder than ever to make sure that these attacks never succeed.
Share this:
Like this:
Related
This entry was posted on April 19, 2023 at 11:00 am and is filed under Commentary with tags Google. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.