A threat actor that Google's TAG tracks under the name HOODOO, and which is also known by the names APT41, Barium, Bronze Atlas, Wicked Panda, and Winnti, targeted an unnamed Taiwanese media organization to deliver an open source red teaming tool known as Google Command and Control (GC2). The starting point of the attack is a phishing email that contains links to a password-protected file hosted on Google Drive, which, in turn, incorporates the GC2 tool to read commands from Google Sheets and exfiltrate data using the cloud storage service. This is notable for two reasons: First, it suggests that Chinese threat groups are increasingly relying on publicly available tooling like Cobalt Strike and GC2 to confuse attribution efforts. Second, it's a reminder that even though Google services are among the most popular and widely used in the world, they're not invulnerable to abuse. In fact, the company's cloud division recently released its sixth Threat Horizons Report, which includes a section on GC2 and how it's being used by attackers. The report notes that after installation on the victim machine, the malware queries Google Sheets to obtain attacker commands. In addition to exfiltration via Drive, GC2 enables the attacker to download additional files from Drive onto the victim system. Google says the threat actor previously utilized the same malware in July 2022 to target an Italian job search website. As enterprises continue to move more of their data and applications to the cloud, it's important to be aware of the potential risks and take steps to mitigate them. This means not only using strong authentication and authorization measures, but also monitoring for unusual activity that could indicate an attack in progress.
top of page
bottom of page