Hackers affiliated with the China-backed group TA415 utilize Google Sheets and Calendar for command and control (C2) communication channels.
In a recent series of cyber attacks, the Chinese state-sponsored threat actor TA415, also known as APT41, Brass Typhoon, and Wicked Panda, has shifted its focus to using legitimate development tools for espionage purposes.
According to security researchers, TA415's latest campaigns have targeted U.S. government entities, think tanks, and academic organizations focused on U.S.-China relations, trade, and economic policy. The group impersonated U.S. officials and the U.S.-China Business Council in spearphishing campaigns, sending emails with links to password-protected cloud archives containing malicious shortcut (LNK) files.
Upon execution, the LNK files triggered a batch script named 'vscode', which launched the WhirlCoil Python loader through an embedded Python package. The WhirlCoil component downloaded the VSCode Command Line Interface from official Microsoft sources and established persistence through scheduled tasks named 'vscode', 'code', or 'remote'.
The WhirlCoil component also used Visual Studio Code Remote Tunnels, which provided persistent access. The collected system information, including Windows version details, locale settings, computer identification, username, and domain information, was transmitted via POST requests to free request logging services like 'GroupMe'.
Threat actors could authenticate remote sessions and execute arbitrary commands through Visual Studio's integrated terminal interface. The script also created GitHub-authenticated remote tunnels, further securing the persistent access.
The archives containing the malicious LNK files contained Microsoft Shortcut files and hidden components stored within concealed MACOS subfolders. The group's focus in these operations has been on intelligence collection regarding U.S.-China economic relations.
In an unusual twist, TA415 has been using Google Sheets and Google Calendar for command and control communications, blending its activities into legitimate cloud services to avoid detection. This marks a departure from traditional command and control infrastructure methods.
TA415's infection methodology is a testament to the group's sophistication and adaptability. By leveraging trusted services and legitimate development tools, they have managed to bypass many security measures, underscoring the need for continuous vigilance in the cyber security landscape.
%20communication%20channels.){kind=link}