Pierluigi Paganini November 06, 2023

Google warns of multiple threat actors that are leveraging its Calendar service as a command-and-control (C2) infrastructure.

Google warns of multiple threat actors sharing a public proof-of-concept (PoC) exploit, named Google Calendar RAT, that relies on Calendar service to host command-and-control (C2) infrastructure.

Google Calendar RAT is a PoC of Command&Control (C2) over Google Calendar Events, it was developed red teaming activities.

“To use GRC, only a Gmail account is required.” reads the description of the PoC published on GitHub. “The script creates a ‘Covert Channel’ by exploiting the event descriptions in Google Calendar. The target will connect directly to Google.” It could be considered as a layer 7 application Covert Channel (but some friends would say it cannot be very thanks to my mates “Tortellini” https://aptw.tf )”

Google has yet to observe the use of GCR in the wild to date, but according to the eighth Threat Horizons report, Mandiant has seen multiple actors sharing the public proof of concept on underground forums.

The abuse of the Google service makes it hard for defenders to uncover malicious activity.

“While we have not seen the use of GCR in the wild to date, Mandiant has noted multiple actors sharing the public proof of concept on underground forums, illustrating the ongoing interest in abusing cloud services. GCR, running on a compromised machine, periodically polls the Calendar event description for new commands, executes those commands on the target device, and then updates the event description with command output.” reads the Google Report. “According to the developer, GCR communicates exclusively via legitimate infrastructure operated by Google, making it difficult for defenders to detect suspicious activity.”

Google TAG has previously observed threat actors abusing Google services in their operations. In March 2023, TAG spotted an Iran-linked APT group using macro docs to infect users with a small .NET backdoor, BANANAMAIL that relies on Gmail as C2 infrastructure. The backdoor uses IMAP to connect to a webmail account used by the attackers and it parses emails for commands to execute.

At the time, TAG experts disabled the attacker-controlled Gmail accounts used as C2 infrastructure.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google Calendar RAT)