As reported by Google itself (via TheHackerNews), it appears that Google Calendar has now become a service of potential interest to hackers, although it doesn’t seem like they are making much use of it at the moment. To be more specific, those at Mountain View have recently shared a warning about the existence of various threat actors who are sharing a proof of concept (PoC) of a public exploit that takes advantage of the mentioned Calendar to host a command and control (C2) infrastructure.
The tool we mentioned, which appears to be circulating on the deep web, is called “Google Calendar RAT” (GCR). It uses events to establish a C2 communication through a Gmail account. According to the person responsible for this threat, who goes by the name MrSaighnal, this script can create a “covert channel” by exploiting event descriptions in Google Calendar. This allows the attacker to establish a direct connection through Google, as stated by the threat actor. Therefore, with this tool, it is very challenging for security teams to detect the threat.
Google Calendar can become an important tool for hackers
This GCR works by having the compromised machine periodically check the event descriptions in Google Calendar for new commands. When these commands are identified, they are executed on the respective device, as reported by Google itself. Additionally, it is mentioned that once the command is executed, the event description is updated with the output of the said command.
As mentioned earlier, it appears that this GCR has not been used as of today, at least according to Google’s information. However, with this circulating on the internet, it seems to be only a matter of time before someone attempts to exploit it. In fact, Mandiant’s threat intelligence unit has already detected that this tool has been shared through underground forums.
Google Calendar joins other legitimate services as a way for hackers to distribute malware, similar to the case of Google Docs. Google Docs has a sharing function that allows users to enter an email address in the document, notifying the recipient that they have access to the file. In fact, it has been observed that malicious links were embedded in files and distributed through users’ email inboxes. Since these emails came from Google, many users bypassed email protection services.