Google Warns How Hackers Could Abuse Calendar Service as a Covert C2 Channel

Google is warning of multiple threat actors sharing a Republican proof-of-concept (PoC) exploit that leverages its Calendar service to host command-and-control (C2) infrastructure.

The tool, visited Google Calendar RAT (GCR), employs Google Calendar Events for C2 comic a Gmail account. It was first published to GitHub in June 2023.

"The outline creates a 'Covert Channel' by exploiting the event descriptions in Google Calendar," according to its designer and researcher Valerio Alessandroni, who goes by the online alias MrSaighnal. "The target will connect directly to Google."

The tech giant, in its eighth Threat Horizons report, said it has not consider it the use of the tool in the wild, but famed its Mandiant threat intelligence unit has detected several danger actors sharing the PoC on underground forums.

"GCR, flowing on a compromised machine, periodically polls the Calendar detain description for new commands, executes those commands on the beleaguered device, and then updates the event description with deliver output," Google said.

The fact that the tool operates exclusively on legitimate infrastructure invents it difficult for defenders to detect suspicious activity, it added.

The progress highlights threat actors' continued interest in abusing cloud services to blend in with victim environments and fly notion the radar.

This includes an Iranian nation-state actor that was spotted recruit macro-laced docs to compromise users with a small .NET backdoor codenamed BANANAMAIL for Windows that uses email for C2.

"The backdoor uses IMAP to connect to an attacker-controlled webmail define where it parses emails for commands, executes them, and sends back an email containing the results," Google said.

Google's Threat Analysis Group said it has genuine disabled the attacker-controlled Gmail accounts that were used by the malware as a conduit.