Google's Alert: Unveiling Potential Exploits of Calendar Service as a Hidden C2 Communication Channel
Google has issued a warning regarding a potential threat wherein multiple actors are sharing a public proof-of-concept (PoC) exploit, known as the Google Calendar RAT (GCR). This tool utilizes Google Calendar Events within a Gmail account for command-and-control (C2) purposes. While it was first made public on GitHub in June 2023, it has not been observed in real-world usage as of yet. Nevertheless, Google's Mandiant threat intelligence unit has detected threat actors sharing the PoC on underground forums.
GCR, when installed on a compromised machine, periodically checks Google Calendar event descriptions for new commands, executes these commands on the target device, and updates the event description with command output. Notably, the tool exclusively utilizes legitimate infrastructure, making it challenging for defenders to identify suspicious activity. This situation underscores the ongoing interest among threat actors in exploiting cloud services to blend in with victim environments and remain undetected.
In a related incident, an Iranian nation-state actor was found using macro-laden documents to compromise users with a small .NET backdoor named BANANAMAIL for Windows. This backdoor employs email as a means of command and control, using IMAP to connect to an attacker-controlled webmail account to process commands and send back results via email. Google's Threat Analysis Group has taken action to disable the attacker-controlled Gmail accounts used as conduits by the malware.
Source: https://thehackernews.com/2023/11/google-warns-of-hackers-absing-calendar.html