"Google Uncovers APT41's Use of Open Source GC2 Tool to Target Media and Job Sites"

A Chinese nation-state group targeted an unnamed Taiwanese media organization to deliver Google Command and Control (GC2), an open-source red teaming tool, as part of a broader exploitation of Google's infrastructure for malicious purposes. Google's Threat Analysis Group (TAG) attributed the campaign to a threat actor it monitors as HOODOO, also known as APT41, Barium, Bronze Atlas, Wicked Panda, and Winnti. The attack begins with a phishing email containing links to a password-protected file hosted on Google Drive, which incorporates the GC2 tool to read commands from Google Sheets and exfiltrate data via the cloud storage service. After installation on a victim's computer, the malware queries Google Sheets for commands. In addition to exfiltration via Drive, GC2 allows the download of other files from Drive onto the victim system. Google reported that the same malware was previously used to target an Italian job search website in July 2022. The development is noteworthy because it suggests that Chinese threat actors are increasingly relying on publicly accessible tools, such as Cobalt Strike and GC2, to obfuscate attribution efforts. It also indicates that malware and tools written in the Go programming language are gaining popularity due to its cross-platform compatibility and modularity. This article continues to discuss APT41's use of GC2 and other findings surrounding the threat actor. 

THN reports "Google Uncovers APT41's Use of Open Source GC2 Tool to Target Media and Job Sites"