Google does warning of multiple threat actors sharing a public proof-of-concept (PoC) exploit that uses the Calendar service to deploy command-and-control (C2) infrastructure.
The tool is called Google Calendar RAT (GCR), using Google Calendar Events for C2 using a Gmail account. it happened first published to GitHub in June 2023.
According to its developer and researcher, who goes by the online pseudonym MrSaighnal, “The script creates a ‘Secret Channel’ using event descriptions from Google Calendar.” “Target will connect directly to Google.”
The tech giant, own eighth Threat Horizons reportsaid it had not observed the tool being used in the wild, but Mandiant noted that it had observed its threat intelligence unit sharing PoCs on underground forums.
“GCR running on the trusted machine periodically polls the Calendar event description for new commands, executes those commands on the target device, and then updates the event description with command output,” Google said.
The fact that the tool works only on legitimate infrastructure makes it difficult for defenders to detect suspicious activity.
The development underscores the continued interest of threat actors in exploiting cloud services to infiltrate a victim’s environment and fly under the radar.
This includes an Iranian nation-state actor found to be using macro-encrypted files to compromise users with a small .NET backdoor codenamed BANANAMAIL for Windows that uses email for C2.
“The backdoor uses IMAP to connect to a webmail account controlled by the attacker, where it parses emails for commands, executes them, and sends back an email with the results,” Google said.
Google’s Threat Analysis Group said it disabled attacker-controlled Gmail accounts used as conduits by the malware.