Google is warning of a number of menace actors sharing a public proof-of-concept (PoC) exploit that leverages its Calendar service to host command-and-control (C2) infrastructure.
The software, referred to as Google Calendar RAT (GCR), employs Google Calendar Occasions for C2 utilizing a Gmail account. It was first printed to GitHub in June 2023.
“The script creates a ‘Covert Channel’ by exploiting the occasion descriptions in Google Calendar,” in keeping with its developer and researcher, who goes by the web alias MrSaighnal. “The goal will join on to Google.”
The tech large, in its eighth Menace Horizons report, stated it has not noticed the usage of the software within the wild, however famous its Mandiant menace intelligence unit has noticed sharing the PoC on underground boards.
“GCR, operating on a compromised machine, periodically polls the Calendar occasion description for brand new instructions, executes these instructions on the goal gadget, after which updates the occasion description with command output,” Google stated.
The truth that the software operates solely on official infrastructure makes it tough for defenders to detect suspicious exercise, it added.
The event highlights menace actors’ continued curiosity in abusing cloud providers to mix in with sufferer environments and fly beneath the radar.
This contains an Iranian nation-state actor that was noticed using macro-laced docs to compromise customers with a small .NET backdoor codenamed BANANAMAIL for Home windows that makes use of e-mail for C2.
“The backdoor makes use of IMAP to connect with an attacker-controlled webmail account the place it parses emails for instructions, executes them, and sends again an e-mail containing the outcomes,” Google stated.
Google’s Menace Evaluation Group stated it has since disabled the attacker-controlled Gmail accounts that have been utilized by the malware as a conduit.
Discover more from PressNewsAgency
Subscribe to get the latest posts sent to your email.