Attackers Use Google Calendar RAT to Abuse Calendar Service as C2 Infrastructure

Cyber Security Threat Summary:
Researchers at Google have issued a warning about various threat actors using the google calendar service for command-and-control purposes. Additionally, there’s a public proof-of-concept exploit called “Google Calendar RAT” that relies on the calendar service for its command-and-control infrastructure. This exploit was developed as part of red teaming activities to demonstrate the concept of using Google Calendar Events for command and control. The proof of concept which only requires a Gmail account to operate, creates a covert channel by manipulating Google Calendar event descriptions for command and control purposes. While Google hasn’t detected GRC in actual attacks, Mandiant reports that the PoC has been shared on underground forums, indicating a continued interest in exploiting cloud services. GRC operates by periodically checking event descriptions for new commands and communications through legitimate Google infrastructure, making it challenging for defenders to spot malicious activity.

Security Officer Comments:
Google’s Threat Analysis Group (TAG) previously observed threat actors using Google services for malicious purposes. In a March 2023 incident, an Iran-linked APT group used Gmail command and control infrastructure for a small .NET backdoor called BANANAMAIL. The backdoor used IMAP to connect to an attacker-controlled webmail account, where it parsed emails for commands. TAG experts disabled the attacker-controlled Gmail accounts at that time.

Suggested Correction(s):
Researchers at Google have published mitigations to defend against these attacks:

Architect systems with a defense-in-depth approach to reduce risk if threat actors bypass controls by evading detection such as when using valid cloud services as noted above. Use an Intrusion Detection System (IDS) and network monitoring tools to detect application level or network level C2 traffic or even exfiltration with tools such as Cloud IDS or open source alternatives Suricata in conjunction with Zeek.

  • Segment networks to reduce the impact of adversaries gaining access to additional resources in your environment. Consider Google Cloud’s best practices and reference architectures for VPC design.
  • Develop baselines for network traffic and monitor for connections to user facing cloud services to aid defenders in identifying low prevalence and/or anomalous behavior.

  • Implement robust centralized logging and regularly monitor your environment for anomalous behavior. The Q3 2023 compromise metrics section outlines security-related logs organizations should consider enabling in their Cloud environment along with a link to Community Security Analytics with example queries and YARA rules organizations could use for detections.