Google has a warning about its own Google Calendar service: Hackers could potentially abuse it to secretly send commands to a piece of malware planted on a computer.
The threat deals with the “command and control” infrastructure hackers create to communicate with their malware once it infects an IT system. Oftentimes, a hacker will do so by sending commands to their malware through a so-called “C2” server. But in other cases, the culprits can mask their C2 activity by using legitimate services to host their commands to the malware.
In the past, this has included hosting the C2 commands on cheap or free cloud services, such as Dropbox and Amazon Web Services, along with Google Drive and Gmail. Doing so can prevent antivirus programs and cybersecurity professionals from uncovering the hacker’s activities since all the C2 commands to the malware will appear as legitimate traffic.
Now Google is warning that the company’s own calendar service could be exploited for the same purpose. In a report looking at future threats, the company notes an apparent cybersecurity researcher called "MrSaighnal" published a proof-of-concept technique that leverages Google Calendar as a command-and-control system.
(Credit: IT researcher MrSaighnal)The proof-of-concept, dubbed Google Calendar RAT (or GCR), works by placing the C2 commands in the event description of a Google Calendar entry. The hacker’s malware can then periodically connect to the Google Calendar account to retrieve and then execute such commands on the infected computer.
“According to the developer, GCR communicates exclusively via legitimate infrastructure operated by Google, making it difficult for defenders to detect suspicious activity,” Google's report adds.
The good news is that the company hasn’t observed any hackers using Google Calendar to host C2 commands yet. But its report notes that multiple actors have shared “the public proof of concept on underground forums, illustrating the ongoing interest in abusing cloud services.”
In response, Google’s report offers some mitigations to counter the potential threat, but there's no easy solution. Instead, the company is urging companies to properly monitor their networks for unusual activity. This includes developing “baselines for network traffic,” so that cybersecurity professionals can identify when anomalous activity occurs.
