Google is warning of several menace actors sharing a public evidence-of-concept (PoC) exploit that leverages its Calendar provider to host command-and-command (C2) infrastructure.
The device, named Google Calendar RAT (GCR), employs Google Calendar Activities for C2 applying a Gmail account. It was to start with revealed to GitHub in June 2023.
“The script generates a ‘Covert Channel’ by exploiting the occasion descriptions in Google Calendar,” in accordance to its developer and researcher, who goes by the on the web alias MrSaighnal. “The goal will hook up specifically to Google.”
The tech big, in its eighth Threat Horizons report, reported it has not observed the use of the tool in the wild, but pointed out its Mandiant menace intelligence unit has observed sharing the PoC on underground discussion boards.
“GCR, operating on a compromised equipment, periodically polls the Calendar event description for new commands, executes those commands on the focus on gadget, and then updates the event description with command output,” Google said.
The point that the device operates solely on legitimate infrastructure tends to make it tricky for defenders to detect suspicious exercise, it extra.
The improvement highlights threat actors’ continued curiosity in abusing cloud companies to mix in with victim environments and fly under the radar.
This contains an Iranian nation-state actor that was noticed utilizing macro-laced docs to compromise users with a compact .NET backdoor codenamed BANANAMAIL for Windows that employs email for C2.
“The backdoor works by using IMAP to hook up to an attacker-managed webmail account where by it parses email messages for commands, executes them, and sends back again an email that contains the results,” Google mentioned.
Google’s Danger Analysis Team reported it has due to the fact disabled the attacker-managed Gmail accounts that ended up used by the malware as a conduit.
Found this report appealing? Stick to us on Twitter and LinkedIn to browse a lot more exclusive material we article.
Some parts of this article are sourced from:
thehackernews.com