APT41 - Google Sheets as C2
Good luck detecting this traffic :)
Old but gold!
While doing research for an upcoming threat emulation exercise, I came across GC2 (Google Command and Control), a very useful tool for Red Teaming, Threat Emulations and Pentests, so I thought I should share it .
GC2 (Google Command & Control)
GC2, is a Command and Control application that allows an attacker to execute commands on the target machine using Google Sheet or Microsoft SharePoint List and exfiltrate files using Google Drive or Microsoft SharePoint Document.
Naturally, I looked for known abuse cases that utilized this tool and one I found very interesting was the attack by APT41 on an unnamed Taiwanese media organization as reported by Google’s TAG (Threat Analysis Group).
APT41 - Barium
APT41 is a China-based threat actor that carries out state-sponsored espionage and financially motivated operations for personal gain.
The threat actor started the attack sequence with a phishing email containing a password-protected file hosted on Google Drive. If the victim accessed the file, the victim’s system would download the malware payload, which was the GC2 tool.
By installing GC2, the attackers could then query Google Sheets to obtain attacker commands and exfiltrate data via Google Drive.
Additionally, GC2 enabled APT41 to download additional files from Google Drive onto the victim system.
Google’s report outlines that this attack shows the increasing use of publicly available tooling like GC2 to obfuscate malicious traffic (all traffic relates to google domain), and the use of malware and tools written in Go, since it’s a cross-platform language, meaning that writing malware enables targeting Windows, Mac, and Linux from the same code.