In late October 2024, a government website was discovered hosting malware targeting multiple government entities. The malware, dubbed TOUGHPROGRESS, utilized Google Calendar for command and control. Attributed to APT41, a PRC-based actor, the campaign targeted global organizations in various sectors. The malware infection chain involved three modules: PLUSDROP, PLUSINJECT, and TOUGHPROGRESS, employing stealth and evasion techniques. TOUGHPROGRESS used encrypted Calendar events for communication. Google Threat Intelligence Group disrupted the campaign by developing custom fingerprints, terminating attacker-controlled infrastructure, and updating Safe Browsing. APT41 has been observed using free web hosting tools and URL shorteners for malware distribution since August 2024. The blog post provides indicators of compromise and YARA rules to aid in detection and defense against similar attacks. Author: AlienVault
Related Tags:
Google Calendar
DUSTTRAP
Voldemort
PLUSINJECT
PLUSDROP
TOUGHPROGRESS
apt41
T1027.001
T1573.001
Associated Indicators:
151257E9DFDA476CDAFD9983266AD3255104D72A66F9265CAA8417A5FE1DF5D7
469B534BEC827BE03C0823E72E7B4DA0B84F53199040705DA203986EF154406A
3B88B3EFBDC86383EE9738C92026B8931CE1C13CD75CD1CDA2FA302791C2C4FB