Google is alerting users to the existence of several threat actors that are disseminating a proof-of-concept (PoC) attack that uses its Calendar service to host command-and-control devices.
Using a Gmail account, the application, known as Google Calendar RAT (GCR), uses Google Calendar Events for C2. It was initially released in June 2023 on GitHub.
Developer and researcher Valerio Alessandroni, sometimes known online as MrSaighnal, claims that the script “creates a ‘Covert Channel’ by exploiting the event descriptions in Google Calendar.” “The target will connect directly to Google.”
In its ninth Threat Horizons report, the IT giant stated that while it hasn’t seen the tool used in the wild, its Mandiant threat intelligence unit has found multiple threat actors who have shared the PoC on underground forums.
“GCR, running on a compromised machine, periodically polls the Calendar event description for new commands, executes those commands on the target device, and then updates the event description with command output,” warned Google.
It further stated that defenders find it challenging to identify suspicious activities because the programme only runs on reliable infrastructure.
This shows that threat actors are still interested in misusing cloud services to blend in with their victims’ settings and avoid detection.
Among them is an Iranian nation-state actor that was observed using documents laced with macros to trick users into opening a tiny.NET backdoor called BANANAMAIL for Windows, which uses email as C2.
“The backdoor uses IMAP to connect to an attacker-controlled webmail account where it parses emails for commands, executes them, and sends back an email containing the results,” claimed Google.
Since then, the attacker-controlled Gmail accounts that served as the malware’s conduit have been removed, according to Google’s Threat Analysis Group.