HQ/EMEAFind out how we can help your business
Google has published an advisory regarding a potential threat that could exploit Google Calendar.
The advisory claims that malicious actors could exploit the company’s Calendar service. The company disclosed that it had detected multiple threat actors sharing a public proof-of-concept use, revealing a command-and-control (C2) channel hidden within Google Calendar.
This tool, known as Google Calendar RAT (GCR), secretly utilises Google Calendar Events in conjunction with a Gmail account for C2 operations. GCR first emerged on GitHub in the summer of 2023.
The mastermind behind this exploit is a developer and researcher called Mr. Saighnal. This researcher explains that the script cleverly establishes a ‘Covert Channel’ by manipulating the event descriptions in Google Calendar, effectively enabling direct connections to Google.
Google explained that hackers have yet to exploit the PoC in the Google Calendar.
According to the company, they have yet to observe an unauthorised individual exploiting the Google Calendar PoC. However, a separate threat intelligence unit had seen several threat actors disseminating the PoC on underground forums, raising concerns.
Further research also explained that GCR operates on a compromised machine, periodically scanning the Calendar event descriptions for new commands, executing these commands on the targeted device, and updating the event description with the command output. The tool’s exclusive use of legitimate infrastructure poses a significant challenge for defenders since they struggle to recognise suspicious activities among various legitimate services.
This discovery shows the continued interest of threat actors in exploiting cloud services to disguise their attacks onto victim environments and evade detection. Even an Iranian nation-state actor has been using these landscapes, employing macro-laced documents to compromise users with a subtle .NET backdoor named BANANAMAIL for Windows.
This backdoor employs IMAP to establish connections with an attacker-controlled webmail account, parsing incoming emails for commands, executing them, and responding with an email containing the results. Fortunately, Google TAG has immediately addressed the situation by deactivating the attacker-controlled Gmail accounts used as vectors for the malware.
The conflict against these hidden channels within legitimate services will continue as technology companies want to stay one step ahead of cybercriminals.
