Google is warning of a number of risk actors sharing a public proof-of-concept (PoC) exploit that leverages its Calendar service to host command-and-control (C2) infrastructure.
The software, known as Google Calendar RAT (GCR), employs Google Calendar Occasions for C2 utilizing a Gmail account. It was first printed to GitHub in June 2023.
“The script creates a ‘Covert Channel’ by exploiting the occasion descriptions in Google Calendar,” in accordance with its developer and researcher, who goes by the net alias MrSaighnal. “The goal will join on to Google.”
The tech big, in its eighth Risk Horizons report, mentioned it has not noticed the usage of the software within the wild, however famous its Mandiant risk intelligence unit has noticed sharing the PoC on underground boards.
“GCR, working on a compromised machine, periodically polls the Calendar occasion description for brand spanking new instructions, executes these instructions on the goal system, after which updates the occasion description with command output,” Google mentioned.
The truth that the software operates completely on respectable infrastructure makes it tough for defenders to detect suspicious exercise, it added.
The event highlights risk actors’ continued curiosity in abusing cloud providers to mix in with sufferer environments and fly below the radar.
This contains an Iranian nation-state actor that was noticed using macro-laced docs to compromise customers with a small .NET backdoor codenamed BANANAMAIL for Home windows that makes use of e-mail for C2.
“The backdoor makes use of IMAP to hook up with an attacker-controlled webmail account the place it parses emails for instructions, executes them, and sends again an e-mail containing the outcomes,” Google mentioned.
Google’s Risk Evaluation Group mentioned it has since disabled the attacker-controlled Gmail accounts that have been utilized by the malware as a conduit.
