Hackers have reportedly found a way to use Google Calendar as command and control (C2) infrastructure, which could cause quite a few headaches in the cybersecurity community.
One of the bigger challenges for cybercriminals today is how to get the malware onto an infected endpoint to execute the commands they want to execute.
To do that they need C2 infrastructure, usually compromised servers, but the problem is that it never takes long for security professionals to discover the ruse and disconnect. But if the C2 infrastructure were to use legitimate resources, such as Google Calendar, cybersecurity professionals would have a much harder time detecting the attack and disconnecting.
Reading assignments via Agenda
Now Google has alerted the broader security community that a proof-of-concept (PoC) exploit for something like this is circulating on the dark web. The PoC is called “Google Calendar RAT” (GCR), and according to the person who built it – aka MrSaighnal – the script will create a “secret channel” using the event descriptions in the calendar.
“The target will connect directly to Google.”
When a device is infected with GCR, it will periodically query the calendar event description for new commands and execute them on the device, Google explains. Then the event description is updated with new command output.
So far, no hackers have been spotted abusing GCR in the wild, but with things like this it’s only a matter of time.
Hackers are increasingly using legitimate cloud services to spread malware. For example, Google Docs has a sharing feature that allows users to type an email address into the document and Google will notify the recipient that he or she can now access the file.
It was observed that some threat actors were creating files with malicious links and thus spreading them to people’s email inboxes. Since the emails came from Google, they bypassed email security services.
Through The HackerNews