TeamT5 Will be at VirusBulletin (VB)

We’re excited to share that we will be delivering a speech in VirusBulletin (VB) where we’ll be discussing the China-nexus campaign with stealthy tactics.

Stay tuned for insights from our experts!

In recent years, China-nexus threat groups have increasingly adopted tactics to obscure their malware footprint, particularly through the use of LOTS (living off trusted sites) and LOLBins (living off the land binaries and scripts). Our latest research has uncovered a new malware variant named Calendarwalk. Calendarwalk employs tactics not previously observed within the APT landscape, such as abusing LOTS through Google Calendar events and exploiting LOLBins via Windows Workflow Foundation. In this talk, we will examine Calendarwalk and the unique techniques it employs, followed by an analysis of its connection to APT41 based on our findings.

In December 2024, our team identified two dully undetected (FUD) samples exploiting XOML (Extensible Object Markup Language) in Windows Workflow Foundation (WF) to execute their payloads. Based on our observations, we believe this is the first documented instance of an APT employing this technique in a real-world scenario. Our analysis of these samples uncovered two shellcode payloads compressed and encoded using a consistent multi-stage compression/encoding chain. One of these resulted in an AES variant of Chatloader (also known as DodgeBox or StealthVector) that was previously associated with APT41, and the other being a never-before-seen malware that we have dubbed Calendarwalk.

Our analysis of Calendarwalk revealed significant hurdles posed by its obfuscation techniques, rendering static analysis ineffective on unmodified binaries. After circumventing these defences through targeted assembly patching, we confirmed its capabilities – including a novel C2 mechanism that retrieves and executes commands via Google Calendar events. During our research we have also discovered overlapping similarities with Google Calendar RAT (GCR), an open-source proof-of-concept RAT that was published on GitHub in 2023, suggesting the malware developer may have taken heavy inspiration from the project.

We believe Calendarwalk is also closely connected to Tabbywalk (also referred to as CurveBack or MoonWalk), a malware family attributed to APT41 last year. While Calendarwalk leverages Google Calendar for its C2 mechanism, Tabbywalk uses Google Drive for similar purposes. Both cases also involved the same version of Chatloader. We will explore the relationship between Calendarwalk and Tabbywalk to establish a potential attribution link.

Our research will highlight the evolving tactics and techniques used by Chinese APT groups, emphasizing their increasing reliance on LOTS and LOLBins to achieve their objectives.