Disrupting Attackers to Protect Google, Our Users, and Our Customers
GTIG’s goal is not just to monitor threats, but to counter and disrupt them. At Google, we aim to protect our users and customers at scale by proactively blocking malware campaigns across our products.
To disrupt APT41 and TOUGHPROGRESS malware, we have developed custom fingerprints to identify and take down attacker-controlled Calendars. We have also terminated attacker-controlled Workspace projects, effectively dismantling the infrastructure that APT41 relied on for this campaign. Additionally, we updated file detections and added malicious domains and URLs to the Google Safe Browsing blocklist.
In partnership with Mandiant Consulting, GTIG notified the compromised organizations. We provided the notified organizations with a sample of TOUGHPROGRESS network traffic logs, and information about the threat actor, to aid with detection and incident response.
Protecting Against Ongoing Activity
GTIG has been actively monitoring and protecting against APT41’s attacks using Workspace apps for several years. This threat group is known for their creative malware campaigns, sometimes leveraging Workspace apps.
-
Google Cloud’s Office of the CISO published the April 2023 Threat Horizons Report detailing HOODOO’s use of Google Sheets and Google Drive for malware C2.
-
In October 2024, Proofpoint published a report attributing the VOLDEMORT malware family to APT41.
-
The DUSTTRAP malware family, reported by GTIG and Mandiant in July of 2024, used Public Cloud hosting for C2.
In each case, GTIG identified and terminated the attacker-controlled Workspace projects and infrastructure APT41 relied on for these campaigns.
Free Web Hosting Infrastructure
Since at least August 2024, we have observed APT41 using free web hosting tools for distributing their malware. This includes VOLDEMORT, DUSTTRAP, TOUGHPROGRESS and likely other payloads as well. Links to these free hosting sites have been sent to hundreds of targets in a variety of geographic locations and industries.
APT41 has used Cloudflare Worker subdomains the most frequently. However, we have also observed use of InfinityFree and TryCloudflare. The specific subdomains and URLs here have been observed in previous campaigns, but may no longer be in use by APT41.
Cloudflare Workers
TryCloudflare
InfinityFree
APT41 has also been observed using URL shorteners in their phishing messages. The shortened URL redirects to their malware hosted on free hosting app subdomains.
-
https[:]//lihi[.]cc/6dekU
-
https[:]//tinyurl[.]com/hycev3y7
-
https[:]//my5353[.]com/nWyTf
-
https[:]//reurl[.]cc/WNr2Xy
All domains and URLs in this blog post have been added to the Safe Browsing blocklist. This enables a warning on site access and prevents users from downloading the malware.
Indicators of Compromise
The IOCs in this blog post are also available as a collection in Google Threat Intelligence.