Cybersecurity teams are on high alert as Google has exposed a vulnerability within its own services – Google Calendar – which is acting as a command-and-control (C2) infrastructure for hackers. Google’s Threat Horizons report has disclosed a proof-of-concept (PoC) exploit, known as Google Calendar RAT (GCR), that manipulates calendar event descriptions to establish a covert communication channel.
Developed by researcher Valerio Alessandroni, also known as MrSaighnal, GCR operates by periodically polling the event descriptions within Google Calendar for commands using a Gmail account. Once it retrieves a command, the malware executes it on the infected device and returns the output back to the calendar description.
“While we have not seen the use of GCR in the wild to date, Mandiant has noted multiple actors sharing the public proof of concept on underground forums, illustrating the ongoing interest in abusing cloud services,” Google said in its Q3 2023 Threats Horizon report.
This isn’t the only instance of cloud services being weaponized, as Google’s Threat Analysis Group (TAG) has spotted other threat actors misusing Google products in their campaigns. In March 2023, TAG “observed an Iranian government-backed actor use macro docs to infect users with a small .NET backdoor, BANANAMAIL, for Windows that uses email for C2.”
The implications of this method are worrisome for cybersecurity experts, as traditional C2 infrastructures, like compromised servers, are easier to detect and neutralize. The subtlety of leveraging services like Google Calendar potentially prolongs the presence of unauthorized actors within networks, complicating the efforts of cybersecurity teams to intercept and mitigate these threats.
Google has responded to these threats by disabling the Gmail accounts linked to the known malware. With the company’s extensive reach into everyday digital activities, the stakes for maintaining effective security protocols are at an all-time high to ensure the integrity of user data and trust.
“Threat actors have abused cloud-based storage to host campaign infrastructure, to deliver malware, to act as malware command and control (C2), and to upload exfiltrated data,” the report said.