Google has issued a warning about a new technique that hackers are using to abuse its Calendar service as a covert command-and-control (C2) channel. The technique involves a tool called Google Calendar RAT (GCR), which uses Google Calendar Events for C2 communication with a Gmail account. The tool was first published to GitHub in June 2023 by a researcher who goes by the alias MrSaighnal.
According to MrSaighnal, the tool creates a “Covert Channel” by exploiting the event descriptions in Google Calendar. The target machine, which is compromised by the malware, periodically polls the Calendar event description for new commands, executes them, and then updates the event description with command output. The target machine connects directly to Google, making it difficult for defenders to detect suspicious activity.
The tool requires a Gmail account and a Google API key to access the Calendar service. The attacker can create events in the Calendar and use the event descriptions to send commands to the target machine. The commands can be anything that can be executed by the target machine, such as downloading and running files, taking screenshots, or stealing credentials. The tool also supports encryption and compression of the data exchanged between the attacker and the target.
Why Google Calendar Service is Attractive for Hackers
Google Calendar service is one of the many cloud services that hackers can abuse to blend in with victim environments and evade detection. Cloud services offer several advantages for hackers, such as:
- They are widely used and trusted by users and organizations, making them less likely to be blocked or monitored by security tools.
- They provide reliable and scalable infrastructure for hosting and delivering malicious content, without the need to maintain their own servers or domains.
- They allow hackers to leverage legitimate credentials and APIs to access and manipulate the data, reducing the chances of being flagged as malicious.
Google is not the only cloud service that hackers have exploited for C2 communication. In the past, hackers have also used services such as Dropbox, Twitter, Slack, Discord, and GitHub for similar purposes.
How Google is Responding to the Threat
Google said that it has not observed the use of the GCR tool in the wild, but noted that its Mandiant threat intelligence unit has observed multiple threat actors sharing the public proof-of-concept (PoC) exploit on underground forums. Google said that it is actively monitoring the situation and taking steps to mitigate the threat.
Google also advised users and organizations to follow best practices to protect their accounts and data from unauthorized access, such as:
- Enabling two-factor authentication and using strong passwords for their Google accounts.
- Reviewing and revoking any suspicious third-party apps or devices that have access to their Google accounts.
- Reporting any phishing or spam emails that attempt to lure them into clicking on malicious links or attachments.
- Using security tools and solutions that can detect and block malicious activity on their devices and networks.
Google also said that it has disabled the attacker-controlled Gmail accounts that were used by another malware, called BANANAMAIL, that also used email for C2 communication. BANANAMAIL is a small .NET backdoor that was used by an Iranian nation-state actor to compromise Windows users. The backdoor used IMAP to connect to a webmail account where it parsed emails for commands, executed them, and sent back an email containing the results.