According to The Hacker News , Google has warned that multiple threat actors are sharing public exploits that leverage its calendar service to host command and control (C2) infrastructure.
The tool, called Google Calendar RAT (GCR), uses the app’s event feature to issue command and control using a Gmail account. The program was first published to GitHub in June 2023.
Security researcher MrSaighnal said the code creates a covert channel by exploiting event descriptions in Google's calendar app. In its eighth Threat Report, Google said it has not observed the tool being used in the wild, but noted that its Mandiant threat intelligence unit has seen several threats that have shared proof-of-concept (PoC) exploits on underground forums.
Google Calendar can be exploited as a command and control center for hackers
Google says GCR runs on a compromised machine, periodically scanning the event description for new commands, executing them on the target device, and updating the description with the command. The fact that the tool operates on legitimate infrastructure makes it difficult to detect suspicious activity.
This case once again shows the worrying use of cloud services by threat actors to infiltrate and hide themselves on victims’ devices. Previously, a group of hackers believed to be linked to the Iranian government used documents containing macro code to open a backdoor on Windows computers and issue commands via email.
Google said the backdoor uses IMAP to connect to a webmail account controlled by the hacker, parses emails for commands, executes them, and sends back emails containing the results. Google's threat analysis team has disabled the attacker-controlled Gmail accounts that the malware used as a conduit.
Source link
Comment (0)