IO Cs Associated With Apt41s Malware Delivery Via Google Calendar

**IOCs Associated with APT41’s Malware Delivery via Google Calendar** APT41, a threat actor linked to China, employed a sophisticated malware delivery and execution technique in a recent campaign. To summarise, the steps are: ▶️ Initial Access via Spear Phishing: They sent targeted emails containing links to a ZIP archive hosted on a compromised government website. ▶️ Google Cloud Malicious Archive Contents: The ZIP file included an LNK file disguised as a PDF and a directory with .jpg images. ▶️ Execution and Deception: When the LNK file was executed, it deleted itself and displayed a decoy PDF to distract the user. ▶️ Malware Deployment: Simultaneously, the malware payload, named "TOUGHPROGRESS," was deployed. ▶️ Command and Control via Google Calendar: The malware utilized Google Calendar for command and control communications, blending malicious traffic with legitimate services to evade detection. This approach highlights APT41's innovative tactics in leveraging trusted platforms for malicious activities ``` let SHA256Hashes = dynamic(['469b534bec827be03c0823e72e7b4da0b84f53199040705da203986ef154406a', '3b88b3efbdc86383ee9738c92026b8931ce1c13cd75cd1cda2fa302791c2c4fb', '50124174a4ac0d65bf8b6fd66f538829d1589edc73aa7cf36502e57aa5513360', '151257e9dfda476cdafd9983266ad3255104d72a66f9265caa8417a5fe1df5d7']); let Domains = dynamic(['word.msapp.workers.dev', 'cloud.msapp.workers.dev', 'term-restore-satisfied-hence.trycloudflare.com', 'ways-sms-pmc-shareholders.trycloudflare.com', 'resource.infinityfreeapp.com', 'pubs.infinityfreeapp.com']); let URLs = dynamic(['https://lihi.cc/6dekU', 'https://lihi.cc/v3OyQ', 'https://lihi.cc/5nlgd', 'https://lihi.cc/edcOv', 'https://lihi.cc/4z5sh', 'https://tinyurl.com/mr42t4yv', 'https://tinyurl.com/hycev3y7', 'https://tinyurl.com/mpa2c5wj', 'https://tinyurl.com/3wnz46pv', 'https://my5353.com/ppOH5', 'https://my5353.com/nWyTf', 'https://my5353.com/fPUcX', 'https://my5353.com/ZwEkm', 'https://my5353.com/vEWiT', 'https://reurl.cc/WNr2Xy']); EmailEvents | where DeliveryLocation has "Inbox" | join kind=inner (UrlClickEvents) on $left.NetworkMessageId == $right.NetworkMessageId | join kind=inner (EmailAttachmentInfo) on $left.NetworkMessageId == $right.NetworkMessageId | where SenderFromDomain has_any (Domains) or SenderMailFromDomain has_any (Domains) or Url has_any (URLs) or SHA256 has_any (SHA256Hashes) ```

Explanation

This KQL (Kusto Query Language) query is designed to identify email events related to a specific cyber threat campaign by APT41, a threat actor group. Here's a simplified summary of what the query does:

Define Indicators of Compromise (IOCs):
- The query starts by defining three sets of IOCs: SHA256 hashes, domains, and URLs. These are known indicators associated with the APT41 malware campaign.
Filter Email Events:
- The query looks at email events where the emails were delivered to the inbox.
Join with URL Click Events:
- It joins these email events with URL click events, ensuring that the emails and the clicked URLs are related by matching their network message IDs.
Join with Email Attachment Info:
- It further joins with email attachment information, again matching by network message IDs, to gather details about attachments in these emails.
Identify Malicious Activity:
- The query filters the results to find emails where:
  - The sender's domain or the sender's "mail from" domain matches any of the known malicious domains.
  - The URL in the email matches any of the known malicious URLs.
  - The SHA256 hash of any attachment matches any of the known malicious hashes.

In essence, this query is used to detect and analyze emails that are potentially part of APT41's malware delivery campaign, specifically those that might have been used to deliver malware via spear phishing, leveraging Google Calendar for command and control.

KQL Search

IO Cs Associated With Apt41s Malware Delivery Via Google Calendar

Query

Explanation

Details

Actions