Google Warns: Calendar Service Hijacked for Malware Control

Google Calendar Malware Control
Google Calendar RAT attack flow diagram, published by the developer on Github

Google has alerted to the risk posed by the potential misuse of its proprietary Calendar service as a Command and Control (C2) infrastructure for managing malicious software. In their latest cyber threat report, the firm highlighted the proliferation of an exploit that harnesses this service.

The tool, named Google Calendar RAT (GCR), employs events in Google’s calendar for C2 operations via a Gmail account. Since June this year, GCR has been available on GitHub as a Proof of Concept (PoC); it has also garnered favor among genuine malicious actors.

The developer of the tool, who goes by the pseudonym “MrSaighnal,” claims the script creates a “covert channel” by utilizing event descriptions in Google Calendar, connecting directly to Google’s services.

Google Calendar RAT attack flow diagram, published by the developer on Github

Although there has been no direct observation of this tool being used in attacks, experts from Mandiant, part of Google, have noted hacker activities discussing the use of GCR on underground forums.

Installed on a compromised machine, GCR periodically checks the calendar event descriptions for new commands, executes them, and updates the event description with the results, as reported by the company.

Google also pointed out that the tool’s exclusive operation on legitimate infrastructure complicates the detection of suspicious activities by defense systems.

This case underscores the continued interest of malicious actors in exploiting legitimate cloud services to camouflage nefarious activities and circumvent protective mechanisms.

The Google report also separately details similar activities by an Iranian national group that used macro-enabled office documents to deploy a .NET backdoor targeted at Windows systems, codenamed BANANAMAIL. This malware utilized email as its C2 infrastructure.

The backdoor uses IMAP to connect to an attacker-controlled webmail account where it parses emails for commands, executes them, and sends back an email containing the results. TAG identified and disabled attacker-controlled Gmail accounts that the malware was using as a C2 mechanism,” the researchers reported.