Google is warning of multiple threat actors sharing a public proof-of-concept (PoC) exploit that leverages its Calendar service to host command-and-control (C2) infrastructure.
According to The Hacker News*, the tool, called Google Calendar RAT (GCR), employs Google Calendar Events for C2 using a Gmail account. It was first published to GitHub in June 2023.
“The script creates a ‘Covert Channel’ by exploiting the event descriptions in Google Calendar,” according to its developer and researcher, who goes by the online alias MrSaighnal. “The target will connect directly to Google.” GCR, running on a compromised machine, periodically polls the Calendar event description for new commands, executes those commands on the target device, and then updates the event description with command output, Google said.
The fact that the tool operates exclusively on legitimate infrastructure makes it difficult for defenders to detect suspicious activity, it added. Google Calendar connects to a variety of third-party apps making this threat that much more intrusive. Targeting Google platforms can have multiple implications as so many of other services rely on and interact with their applications so a vulnerability will be felt far and wide.
This exploit may also highlight the ongoing attention of threat actors on exploiting cloud services as a means to integrate quietly into target environments and avoid detection. Luckily, Google have disabled the issue but it comes as a good reminder to keep track on which services are linked and to only connect apps and log ins with trusted services and those that are kept up to date.
by Jake Moore, ESET
*ESET does not bear any responsibility for the accuracy of this information.
ESET Ireland 