Google has issued a warning about the potential abuse of its Calendar service as a covert command-and-control (C2) channel by multiple threat actors. A tool known as Google Calendar RAT (GCR) has been publicly shared on GitHub, allowing threat actors to exploit Google Calendar Events using a Gmail account for C2 purposes. GCR uses event descriptions within Google Calendar to establish a “Covert Channel,” enabling the target to connect directly to Google.
Although Google has not observed the tool being used in the wild, its Mandiant threat intelligence unit has identified several threat actors sharing the proof-of-concept on underground forums.
Furthermore, GCR operates by running on compromised machines, periodically polling the Calendar event descriptions for new commands, executing these commands on the target device, and updating the event description with the command output. This method of operation on legitimate infrastructure makes it challenging for defenders to detect suspicious activity. The development highlights the ongoing interest of threat actors in exploiting cloud services to remain concealed within victim environments and evade detection.
Additionally, Google’s Threat Analysis Group also uncovered an Iranian nation-state actor employing a macro-laced document to compromise users, using a .NET backdoor called BANANAMAIL that employs email for C2 purposes. Google has taken steps to disable the attacker-controlled Gmail accounts involved in this incident.
