Google has issued a warning about the dissemination of a publicly available exploit that utilizes its Calendar service to facilitate command-and-control (C2) infrastructure.
The exploit, known as Google Calendar RAT (GCR), employs Google Calendar Events for C2 operations using a Gmail account. It was initially published on GitHub in June 2023.
“The script establishes a ‘Covert Channel’ by exploiting the event descriptions in Google Calendar,” explained MrSaighnal, the developer and researcher behind the tool. “The target device connects directly to Google.”
In its eighth Threat Horizons report, Google stated that it has not observed any instances of the tool being used in the wild. However, its Mandiant threat intelligence unit has detected the proof-of-concept being shared on underground forums.
“GCR, running on a compromised machine, periodically checks the Calendar event description for new commands, executes those commands on the targeted device, and updates the event description with the command output,” as stated by Google.
Since the tool exclusively operates on legitimate infrastructure, it presents a challenge for defenders to detect any suspicious activity, according to Google.
This development underscores threat actors’ ongoing interest in leveraging cloud services to blend in with victim environments and evade detection.
One example is an Iranian nation-state actor that was found utilizing macro-laced documents to compromise users with a small Windows backdoor called BANANAMAIL, which employs email communication for command and control.
“The backdoor utilizes IMAP to connect to an attacker-controlled webmail account. It parses emails for commands, executes them, and sends an email with the results,” explained Google.
Google’s Threat Analysis Group has taken action to disable the attacker-controlled Gmail accounts that were used as conduits for the malware.
