Mark Your Calendar: APT41 Innovative Tactics

Description

In late October 2024, a government website was discovered hosting malware targeting multiple government entities. The malware, dubbed TOUGHPROGRESS, utilized Google Calendar for command and control. Attributed to APT41, a PRC-based actor, the campaign targeted global organizations in various sectors. The malware infection chain involved three modules: PLUSDROP, PLUSINJECT, and TOUGHPROGRESS, employing stealth and evasion techniques. TOUGHPROGRESS used encrypted Calendar events for communication. Google Threat Intelligence Group disrupted the campaign by developing custom fingerprints, terminating attacker-controlled infrastructure, and updating Safe Browsing. APT41 has been observed using free web hosting tools and URL shorteners for malware distribution since August 2024. The blog post provides indicators of compromise and YARA rules to aid in detection and defense against similar attacks.