Advisory ID: NCC-CSIRT-081123-040
Summary: Google has issued a warning about several hackers utilizing a tool known as Google Calendar RAT (GCR), which leverages Google Calendar Events for command-and-control Operations (C2) through a Gmail account. These threat actors have shared a public proof-of-concept (PoC) exploit that uses Google's Calendar service to host C2 infrastructure. This poses a notable challenge for cybersecurity experts, as it effectively conceals malicious communications within genuine calendar events.
Threat Type(s): Malware
Impact/Vulnerability: HIGH/CRITICAL
Product(s): Google Calendar
Platform(s): Gmail Accounts
Version(s): All Versions
Description: Valerio Alessandroni, an IT researcher, explained that to use the Google Calendar RAT for command-and-control (C2) activities, an attacker would set up a Google service account, obtain its credentials.json file, and place it in the script directory. Then, they'd create a new Google calendar and share it with the service account, modify the script to link to the calendar address, and use the event description field to execute commands.
When active on an infected device, the RAT regularly checks for such commands, executes them, and relays the output in the description field. Apart from its innovative approach, the significant advantage of the Google Cloud RAT is its operation via legitimate cloud infrastructure, making it challenging to detect and prevent.
Consequences: The threat enables malicious instructions to seamlessly integrate with authentic calendar entries, rendering it challenging for security tools to detect and prevent them.
Solution: Organizations can defend against this threat through the following ways:
- Anomaly-Based Monitoring: When an organization is developing a detection strategy, it should focus on identifying anomalies and detecting malicious activities entering its system.
- Intrusion Detection System (IDS) and Network Monitoring: Utilize tools for detecting application-level or network-level command-and-control (C2) traffic, as well as data exfiltration. The tools recommended by Google are Cloud IDS (https://cloud.google.com/intrusion-detection-system) or open-source alternatives such as Suricata (https://suricata.io/) in conjunction with Zeek (https://zeek.org/).
- Network Segmentation: Segment your networks to minimize the consequences of potential threats gaining access to more resources within your environment.
References:
https://www.darkreading.com/cloud/google-cloud-rat-calendar-events-command-and-control
https://services.google.com/fh/files/blogs/gcat_threathorizons_full_oct2023.pdf
https://pc-tablet.com/google-calendar-rat-new-threat-hides-in-plain-sight/
https://thehackernews.com/2023/11/google-warns-of-hackers-absing-calendar.html
https://www.blackhatethicalhacking.com/news/google-calendar-under-threat-gcr-tool-uses-it-for-command-and-control-operations/
https://www.redpacketsecurity.com/google-warns-how-hackers-could-abuse-calendar-service-as-a-covert-c-channel/