Hackers have reportedly found a way to use the Google Calendar as command & control (C2) infrastructure which could create quite a few headaches in the cybersecurity community.
One of the bigger challenges for cybercriminals these days is how to get the malware on an infected endpoint to execute the commands they’d like done.
To do that, they need C2 infrastructure, usually compromised servers, but the problem is that it never takes long for security pros to discover the ruse and terminate the connection. But if the C2 infrastructure leveraged legitimate resources, such as Google Calendar for example, cybersecurity pros would have a much harder time detecting the attack and terminating the connection.
Reading commands via Calendar
Now, Google warned the wider security community that a proof-of-concept (PoC) exploit for such a thing is circulating around the dark web. The PoC is dubbed “Google Calendar RAT” (GCR), and according to the person that built it – alias MrSaighnal – the script will create a “covert channel” by exploiting the event descriptions in the calendar.
“The target will connect directly to Google.”
When a device is infected with GCR, it will periodically poll the Calendar event description for new commands and run them on the device, Google explained. Then, it will update the event description with new command output.
So far, no hackers have been observed abusing GCR in the wild, but with things like these, it’s only a matter of time.
Hackers are increasingly using legitimate cloud services to deliver malware. For example, Google Docs has a share feature that allows users to type in an email address in the document and Google will notify the recipient that they now have access to the file.
Some threat actors were observed creating files with malicious links and distributing them to people’s email inboxes this way. As the emails came from Google, they bypassed email protection services.
More from TechRadar Pro
- Worried about your protection? Here is the best ransomware protection software
- FBI – North Korean Lazarus hackers could be about to cash in millions of stolen Bitcoin
- Read our list of the best ID theft protection solutions