Cyber Spies Abused Google Calendar to Control Infected Systems

By Netvora Tech News

---

Hackers posing as cyber spies and cybercriminals have been using Google Calendar to control infected systems, according to a Google analysis. The group, known as APT41, has been active since 2014 and has been linked to multiple attacks on government agencies. The attack, which targeted several unnamed government agencies, began with spear phishing emails containing a link to a compromised website. The link led to a zip file containing a malicious file with a double extension, .PDF.LNK. When the target opened the .LNK file, malware was executed in the background. To communicate with the infected systems, the attackers used Google Calendar. The malware initially sent encrypted data from the infected system to Google Calendar, allowing the attackers to issue commands and have the malware execute them on the infected system. Google discovered the attack and took the necessary steps to remove the affected calendars and inform affected organizations.

How the Attack Worked

The attack was a sophisticated and multi-step process, involving spear phishing emails, compromised websites, and the use of Google Calendar to control infected systems.

• Spear Phishing Emails: The attackers sent targeted phishing emails to government agencies, containing links to compromised websites.
• Compromised Website: The link led to a compromised website, which downloaded a zip file containing a malicious file with a double extension, .PDF.LNK.
• Malware Execution: When the target opened the .LNK file, malware was executed in the background.
• Google Calendar Communication: The malware used Google Calendar to send encrypted data to the attackers and receive commands to execute on the infected system.

Google's discovery of the attack highlights the importance of vigilance in the face of sophisticated cyber threats and the need for organizations to take proactive steps to protect themselves against these types of attacks.