Security researchers warn that cybercriminals have added another legitimate tool to their arsenal, but this time it’s a major Google open source project being abused.
Google’s Threat Analysis Group (TAG) cybersecurity researchers recently revealed (opens in new tab) A Chinese government-backed threat actor known as APT41 is using the Google command and control (GC2) red teaming tool to attack organizations around the world.
TAGs typically investigate state-sponsored actors. ATP41 is a known threat actor that has been reported for the last three years. Apparently he’s been around since 2014, during which time various cybersecurity research groups have given him various names such as HOODOO, BARIUM, Winnti, and BlackFly.
China attacks again GC2 is Google’s open source project designed for red team activities. Red teaming refers to the practice of challenging plans and systems in a way threat actors do. Red teaming systems allow organizations to avoid cognitive errors such as confirmation bias that often leave large holes in cybersecurity defenses.
“This program was developed to provide command and control during Red Teaming activities without requiring any specific setup (custom domain, VPS, CDN, etc.),” says GC2’s GitHub repository. .
Additionally, the program only interacts with Google’s domains (*.google.com), making detection more difficult.
According to TAG, APT41 used GC2 during phishing attacks against two targets. One of which he is a Taiwanese media company.
“In October 2022, Google’s Threat Analysis Group (TAG) targeted APT41 media organizations in Taiwan by sending phishing emails containing links to password-protected files hosted in Drive. It thwarted a campaign from HOODOO, a Chinese government-backed attacker also known as HOODOO,” the company report claims.
“The payload was an open source red teaming tool called ‘Google Command and Control’ (GC2). ”
The second target was an Italian job search site. Researchers claim that APT 41 used this tool to try to deploy additional malware on targeted endpoints. (opens in new tab) without detailing exactly which malware.
Via: BleepingComputer (opens in new tab)
websitebuildersnow
GIPHY App Key not set. Please check settings