Google is warning of multiple threat actors sharing a public proof-of-concept (PoC) exploit that leverages its Calendar service to host command-and-control (C2) infrastructure.
The tool, called Google Calendar RAT (GCR), employs Google Calendar Events for C2 using a Gmail account. It was first published to GitHub in June 2023.
“The script creates a ‘Covert Channel’ by exploiting the event descriptions in Google Calendar,” according to its developer and researcher Valerio Alessandroni, who goes by the online alias MrSaighnal. “The target will connect directly to Google.”
The tech giant, in its eighth Threat Horizons Report [PDF], said it has not observed the use of the tool in the wild, but noted its Mandiant threat intelligence unit has detected several threat actors sharing the PoC on underground forums.
“GCR, running on a compromised machine, periodically polls the Calendar event description for new commands, executes those commands on the target device, and then updates the event description with command output,” Google said.
The fact that the tool operates exclusively on legitimate infrastructure makes it difficult for defenders to detect suspicious activity, it added.
The development highlights threat actors’ continued interest in abusing cloud services to blend in with victim environments and fly under the radar.
This includes an Iranian nation-state actor that was spotted employing macro-laced docs to compromise users with a small .NET backdoor codenamed BANANAMAIL for Windows that uses email for C2.
“The backdoor uses IMAP to connect to an attacker-controlled webmail account where it parses emails for commands, executes them, and sends back an email containing the results,” Google said.
Google’s Threat Analysis Group said it has since disabled the attacker-controlled Gmail accounts that were used by the malware as a conduit.