Online threat actors are exploiting Google's Calendar service to serve as a Command and Control (C2) infrastructure. In non-technical language, Command and Control (C2) infrastructure can be seen as the headquarters or control center that orchestrates the cyber offensive, dictating how malware behaves once it has infiltrated a device or system. A sophisticated group of attackers is employing a novel method, dubbed the “Google Calendar RAT” to stealthily commandeer this service as their personal C2 infrastructure.
Stealth Technology and Threat Hunting
The technique, referred to as Google Calendar RAT, is essentially a public Proof of Concept (PoC) that exploits the event descriptions in Google Calendar to create what's termed a ‘Covert Channel.'
The ‘Covert Channel' establishes a conduit for data transmission that evades regular security mechanisms, and the target device—usually a victim of hacking—hooks up directly to Google in this case. The sheer ingenuity of the concept provides an almost perfect cover for threat actors, camouflaging their activities under the veil of Google's legitimate infrastructure.
This new strategy poses a daunting challenge for cyber defenders as it makes it quite arduous to distinguish between regular activity and suspicious undertakings. According to Google, while the method hasn't been seen in the wild so far, pointers from their Threat Horizons report suggest an exacerbated threat landscape with multiple threat actors sharing the PoC in nefarious underground forums, indicating an escalating interest level in abusing cloud services.
Previous Inside Threats in Google Services
This is not the first instance of threat actors exploiting Google services for their operations. The Google Threat Analysis Group (TAG) had reported earlier this year about an Iran-associated Advanced Persistent Threat (APT) group that leveraged macro documents to disperse a miniature .NET backdoor, “BANANAMAIL.” The service in question was Gmail, used as the C2 infrastructure. BANAMAIL is a reconnaissance tool or spyware that infiltrates a network silently and uses the IMAP protocol to connect to a webmail account controlled by the intruder, scanning emails for commands to execute. Google was swift in its response and deactivated the tampered Gmail accounts that were repurposed as C2 infrastructure.