Google recently warned that hackers could abuse the calendar service (Calendar) as a secret command and control channel.
According to The Hacker News, Google has warned that multiple threat actors are sharing public exploits that take advantage of its calendar service to host command and control (C2) infrastructure.
The tool, called Google Calendar RAT (GCR), uses the app’s events feature to command and control using a Gmail account. This program was first published on GitHub in June 2023.
Security researcher MrSaighnal said the code creates a covert channel by exploiting event descriptions in Google’s calendar app. In its Eighth Threat Report, Google said it had not observed the tool being used in the wild, but noted that its Mandiant threat intelligence unit had detected a number of threats. threatened to share proof of exploit (PoC) on underground forums.
Google says GCR runs on a compromised machine, periodically scanning the event description for new commands, then executing them on the target device and updating the command description. The fact that this tool operates on legitimate infrastructure makes it difficult to detect suspicious activity.
This case once again shows concern when threat actors abuse cloud services to infiltrate and hide themselves on victims’ devices. Previously, a group of hackers believed to be linked to the Iranian government used documents containing macro code to open a backdoor on Windows computers and issue control commands via email.
Google said the backdoor uses IMAP to connect to a webmail account controlled by the hacker, parses the email to retrieve commands, executes them, and sends back an email containing the results. Google’s threat analysis team disabled attacker-controlled Gmail accounts that were used as conduits by the malware.