Google Calendar RAT Abusing Calendar Events to Create Red Teaming Infrastructure


Google Calendar RAT (GCR) is a proof of concept for Command & Control (C2) via Google Calendar Events. It’s useful when setting up a full red team infrastructure is challenging.

GCR needs a Gmail account, using event descriptions in Google Calendar as a “Covert Channel” for direct connections to Google. Besides this, it acts as a layer 7 application called Covert Channel, as reported by its developer and researcher, Mr. Saighnal (aka Valerio Alessandroni).

EHA

When GCR is running on a computer that has been hacked, it checks the calendar event description for new commands every so often. It then runs those commands on the target device and adds the results of the commands to the event description. Based on what the coder said, GCR only talks through official Google infrastructure, which makes it hard for defenders to spot strange behavior, Google said.

GCR Workflow

The red teaming tool uses Google Calendar events for C2. The tool enables an attacker to place commands in the event description field of Google Calendar events.

GCR connects to a shared Google Calendar link, checks for pending commands, and creates a new one “whoami” if none exist. 

In the below image, the complete GCR workflow attack is presented:

Google Calendar RAT Abusing Calendar Events to Create Red Teaming Infrastructure
GCR Workflow Attack (Source – GitHub)

While apart from this, each event consists of two parts, and here we have mentioned them:-

  • The Title contains a unique ID allowing multiple commands for scheduling under the same ID.
Google Calendar RAT Abusing Calendar Events to Create Red Teaming Infrastructure
  • The run command and its base64-encoded output are contained in the description and are separated by “|”.
Google Calendar RAT Abusing Calendar Events to Create Red Teaming Infrastructure

Moreover, the connections appear to be completely genuine because they are limited to Google’s servers in terms of networking.



Document

FREE Webinar

Ensure your Cyber Resiliance with the recent wave of cyber-attacks targeting the financial services sector. Almost 60% respondents not confident to recover fully from a cyber attack.


How do I use it?

Here below, we have mentioned all the steps to use it:-

  • First of all, create a Google service account, get the credentials.json file, and put it in the script’s directory.
  • Create a new Google calendar, share it with the service account, and update the script with your calendar address.
  • It automatically creates an event with a distinct target ID and runs the “whoami” command when it is run on the target system.
  • Now, in the communication’s event description, make sure to use the following syntax:-

=> CLEAR_COMMAND|BASE64_OUTPUT

Earlier, Google TAG noticed an Iran-linked APT group using Gmail for C2 with a small .NET backdoor, BANANAMAIL, in March 2023. Besides this, through IMAP the backdoor checks email accounts for the execution of commands.

We haven’t seen GCR used in real life yet, but Mandiant has seen multiple players share the public proof of concept on underground sites. Google said via a threat report that people are still interested in abusing cloud services.

Patch Manager Plus: Automatically Patch over 850 third-party applications quickly – Try Free Trial.

Also Read:

A New Malware That Hides In The Linux Calendar System on February 31st

What is Red Teaming, Tactics & How Does it Works?



Source link