Hackers have reportedly found a way to use the Google Calendar as command & control (C2) infrastructure which could create quite a few headaches in the cybersecurity community.
One of the bigger challenges for cybercriminals these days is how to get the malware on an infected endpoint to execute the commands they’d like done.
To do that, they need C2 infrastructure, usually compromised servers, but the problem is that it never takes long for security pros to discover the ruse and terminate the connection. But if the C2 infrastructure leveraged legitimate resources, such as Google Calendar for example, cybersecurity pros would have a much harder time detecting the attack and terminating the connection.
Reading commands via Calendar
Now, Google warned the wider security community that a proof-of-concept (PoC) exploit for such a thing is circulating around the dark web. The PoC is dubbed “Google Calendar RAT” (GCR), and according to the person that built it - alias MrSaighnal - the script will create a “covert channel” by exploiting the event descriptions in the calendar.
"The target will connect directly to Google."
When a device is infected with GCR, it will periodically poll the Calendar event description for new commands and run them on the device, Google explained. Then, it will update the event description with new command output.
So far, no hackers have been observed abusing GCR in the wild, but with things like these, it’s only a matter of time.
Hackers are increasingly using legitimate cloud services to deliver malware. For example, Google Docs has a share feature that allows users to type in an email address in the document and Google will notify the recipient that they now have access to the file.
Some threat actors were observed creating files with malicious links and distributing them to people’s email inboxes this way. As the emails came from Google, they bypassed email protection services.
More from TechRadar Pro
- Worried about your protection? Here is the best ransomware protection software
- FBI - North Korean Lazarus hackers could be about to cash in millions of stolen Bitcoin
- Read our list of the best ID theft protection solutions
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.