Hackers abuse Google Command and Control red team tool in attacks

The Chinese state-sponsored hacking group APT41 was found abusing the GC2 (Google Command and Control) red teaming tool in data theft attacks against a Taiwanese media and an Italian job search company.

APT 41, also known as HOODOO, is a Chinese state-sponsored hacking group known to target a wide range of industries in the USA, Asia, and Europe. Mandiant has been  since 2014, saying its activities overlap with other known Chinese hacking groups, such as BARIUM and Winnti.

In Google’s April 2023 Threat Horizons Report, released last Friday, security researchers in its Threat Analysis Group (TAG) revealed that APT41 was abusing the GC2 red teaming tool in attacks.

GC2, also known as Google Command and Control, is an open-source project written in Go that was designed for red teaming activities.

“This program has been developed in order to provide a command and control that does not require any particular set up (like: a custom domain, VPS, CDN, …) during Red Teaming activities,” reads the project’s .

“Furthermore, the program will interact only with Google’s domains (* to make detection more difficult.”

The project consists of an agent that is deployed on compromised devices, which then connects back to a Google Sheets URL to receive commands to execute.

These commands cause the deployed agents to download and install additional payloads from Google Drive or exfiltrate stolen data to the cloud storage service.

GC2 abused in attacks

According to Google’s report, TAG disrupted an APT41 phishing attack against a Taiwanese media company that attempted to distribute the GC2 agent through phishing emails.

“In October 2022, Google’s Threat Analysis Group (TAG) disrupted a campaign from HOODOO, a Chinese government-backed attacker also known as APT41, that targeted a Taiwanese media organization by sending phishing emails that contained links to a password protected file hosted in Drive,” explained the .

“The payload was an open source red teaming tool called “Google Command and Control” (GC2).”

Google says that APT41 also used GC2 in attacks against an Italian job search website in July 2022.

Using the agent, Google says that the threat actors attempted to deploy additional payloads on the device and exfiltrate data to Google Drive, as illustrated in the attack workflow below.

APT41 GC2 attack workflow
APT41 GC2 attack workflow
Source: Google

While it is not known what malware was distributed in these attacks, APT41 is known to deploy a wide variety of malware on compromised systems.

A  explains that the threat actors utilize rootkits, bootkits, custom malware, backdoors, Point of Sale malware, and even ransomware in an isolated incident.

The threat actors have also been known to deploy the Winnti malware and the China Chopper web shell, tools commonly used by Chinese hacking groups, and Cobalt Strike for persistence in compromised networks.

In 2020, the Department of Justice  believed to be part of APT41 for conducting supply chain attacks [, , ], data theft, and breaches against countries worldwide.

BleepingComputer contacted Google to learn more about the payloads they saw in these attacks, but a response was not immediately available.

A shift to legitimate tools

APT41’s use of GC2 is another indicator of a trend of threat actors moving to legitimate red teaming tools and RMM platforms as part of their attacks.

While  has been widespread for years, it has also led to significant investments into detecting it in attacks, making it more easily spotted by defenders.

Due to this, threat actors have started to shift to other red teaming tools, such as  and , to evade detection during their attacks.

More recently,  remote monitoring and management (RMM) tool for persistence on compromised networks and to execute commands, scripts, and binaries.  

Unfortunately, as with any tool that can help red teamers conduct exercises or for admins to manage a network remotely, they can equally be abused by threat actors in their own attacks.