Wednesday 24 September 15:00 - 15:30, Green room
Tim Chen & Still Hsu (TeamT5)
In recent years, China-nexus threat groups have increasingly adopted tactics to obscure their malware footprint, particularly through the use of LOTS (living off trusted sites) and LOLBins (living off the land binaries and scripts). Our latest research has uncovered a new malware variant named Calendarwalk. Calendarwalk employs tactics not previously observed within the APT landscape, such as abusing LOTS through Google Calendar events and exploiting LOLBins via Windows Workflow Foundation. In this talk, we will examine Calendarwalk and the unique techniques it employs, followed by an analysis of its connection to APT41 based on our findings.
In December 2024, our team identified two dully undetected (FUD) samples exploiting XOML (Extensible Object Markup Language) in Windows Workflow Foundation (WF) to execute their payloads. Based on our observations, we believe this is the first documented instance of an APT employing this technique in a real-world scenario. Our analysis of these samples uncovered two shellcode payloads compressed and encoded using a consistent multi-stage compression/encoding chain. One of these resulted in an AES variant of Chatloader (also known as DodgeBox or StealthVector) that was previously associated with APT41, and the other being a never-before-seen malware that we have dubbed Calendarwalk.
Our analysis of Calendarwalk revealed significant hurdles posed by its obfuscation techniques, rendering static analysis ineffective on unmodified binaries. After circumventing these defences through targeted assembly patching, we confirmed its capabilities – including a novel C2 mechanism that retrieves and executes commands via Google Calendar events. During our research we have also discovered overlapping similarities with Google Calendar RAT (GCR), an open-source proof-of-concept RAT that was published on GitHub in 2023, suggesting the malware developer may have taken heavy inspiration from the project.
We believe Calendarwalk is also closely connected to Tabbywalk (also referred to as CurveBack or MoonWalk), a malware family attributed to APT41 last year. While Calendarwalk leverages Google Calendar for its C2 mechanism, Tabbywalk uses Google Drive for similar purposes. Both cases also involved the same version of Chatloader. We will explore the relationship between Calendarwalk and Tabbywalk to establish a potential attribution link.
Our research will highlight the evolving tactics and techniques used by Chinese APT groups, emphasizing their increasing reliance on LOTS and LOLBins to achieve their objectives.
 |
Tim Chen Tim is a threat intelligence researcher at TeamT5. He is interested in threat hunting, malware analysis and incident response. Currently, his research focuses on the APT threat in the East Asia region especially APT41-related groups. He has presented at such events as BlackHat Asia and Threat Analyst Summit.
|
 |
Still Hsu Still is a cyber-threat intelligence researcher at TeamT5. They are highly passionate and active in community discussion surrounding topics of malware and APTs. Specifically, Still is very outspoken and loves to teach students how to get started in malware research and reverse engineering. They have become one of the core members of the malware research team at TeamT5. |
Back to VB2025 conference page