November 6, 2023 at 04:06AM
Google has issued a warning about a public proof-of-concept exploit called Google Calendar RAT (GCR) that utilizes its Calendar service for command-and-control infrastructure. The exploit creates a covert channel by manipulating event descriptions in Google Calendar. Although not yet observed in the wild, the exploit has been shared on underground forums. The use of legitimate infrastructure makes it challenging for defenders to detect suspicious activity. This highlights the trend of threat actors utilizing cloud services to avoid detection.
Key Takeaways from Meeting Notes:
1. Google Calendar RAT (GCR): A threat actor has developed a tool called GCR that leverages Google Calendar Events for command-and-control (C2) infrastructure. The tool creates a covert channel by exploiting event descriptions in Google Calendar. The GCR tool operates exclusively on legitimate infrastructure, making it difficult for defenders to detect suspicious activity.
2. Sharing of PoC: Multiple threat actors have been sharing the proof-of-concept (PoC) of GCR on underground forums. Google has not observed the tool being used in the wild but has alerted its Mandiant threat intelligence unit about the sharing of the PoC.
3. Iranian Nation-State Actor: An Iranian nation-state actor has been using macro-laced documents to compromise users with a backdoor codenamed BANANAMAIL for Windows. The backdoor uses email for command-and-control and connects to an attacker-controlled webmail account using IMAP for executing commands and receiving results.
4. Google’s Actions: Google’s Threat Analysis Group has disabled the attacker-controlled Gmail accounts used by the BANANAMAIL malware.
5. Cloud Services and Victim Environments: The development highlights the ongoing interest of threat actors in exploiting cloud services to blend in with victim environments and avoid detection.
Please let me know if there is anything else you need assistance with.