Hackers have found a way to use Google Calendar as command & control (C2) infrastructure, posing a serious threat to the cybersecurity community. One of the main challenges for cybercriminals is how to execute malware on an infected endpoint, which requires C2 infrastructure typically compromised servers. The issue is that security pros quickly detect and terminate such connections. However, leveraging legitimate resources like Google Calendar makes it harder for cybersecurity pros to detect and terminate an attack.
A proof-of-concept (PoC) exploit called “Google Calendar RAT” (GCR) has been circulating the dark web. GCR, created by MrSaighnal, creates a covert channel by exploiting event descriptions in the calendar. When a device is infected with GCR, it will periodically poll the Calendar event description for new commands and run them on the device, then update the event description with new command output. While no hackers have been observed abusing GCR in the wild so far, it is only a matter of time given the increasing use of legitimate cloud services by hackers to deliver malware.
For example, Google Docs has a share feature that allows users to type in an email address in the document, and Google will notify the recipient that they now have access to the file. Some threat actors have distributed malicious links through this method, bypassing email protection services as the emails appear to come from Google.
Source:
https://thehackernews.com/2023/11/google-warns-of-hackers-abusing-calendar.html
I have over 10 years of experience in the cryptocurrency industry and I have been on the list of the top authors on LinkedIn for the past 5 years.