Lord777
Professional
- Messages
- 2,577
- Reaction score
- 1,563
- Points
- 113
Hidden criminal teams are now on your daily schedule.
Google Corporation has reported a risk associated with the possibility of attackers using the proprietary Calendar service as a C2 infrastructure for managing malicious programs. In its latest report on cyber threats, the company pointed out the spread of an exploit that uses this service.
A tool called Google Calendar RAT (GCR) applies events in Google Calendar for C2 manipulations using a Gmail account. Since June of this year, GCR has been freely available on GitHub as a PoC, but real attackers also really like the tool.
According to the developer of the tool, known under the pseudonym "MrSaighnal", the script creates a "hidden channel" by using descriptions of events in the Google Calendar. The goal connects directly to Google services.
Although the direct use of this tool in attacks has not yet been observed, experts from Mandiant, part of Google, noted the activity of hackers discussing the use of GCR in underground forums.
GCR installed on the compromised machine periodically checks the description of calendar events for new commands, executes them, and updates the event description with the results of executing commands, the company said.
Google also noted that the tool's work exclusively on legitimate infrastructure makes it difficult for security systems to detect suspicious activity.
This case highlights the continued interest of attackers in abusing legitimate cloud services to mask malicious activity and circumvent security mechanisms.
The Google report also separately described a similar activity by an Iranian national group that used office documents with macro support for implementation .NET-a backdoor targeting Windows, codenamed BANANAMAIL. The malware used email as its C2 infrastructure.
"The backdoor uses the IMAP protocol to connect to an attacker-controlled webmail account, where it analyzes emails for commands, executes them, and sends back an email with the results of the work done," the researchers said.
The Google Threat Analysis Team reported that Gmail accounts controlled by attackers that were used by this malware were successfully blocked.
Google Corporation has reported a risk associated with the possibility of attackers using the proprietary Calendar service as a C2 infrastructure for managing malicious programs. In its latest report on cyber threats, the company pointed out the spread of an exploit that uses this service.
A tool called Google Calendar RAT (GCR) applies events in Google Calendar for C2 manipulations using a Gmail account. Since June of this year, GCR has been freely available on GitHub as a PoC, but real attackers also really like the tool.
According to the developer of the tool, known under the pseudonym "MrSaighnal", the script creates a "hidden channel" by using descriptions of events in the Google Calendar. The goal connects directly to Google services.
Although the direct use of this tool in attacks has not yet been observed, experts from Mandiant, part of Google, noted the activity of hackers discussing the use of GCR in underground forums.
GCR installed on the compromised machine periodically checks the description of calendar events for new commands, executes them, and updates the event description with the results of executing commands, the company said.
Google also noted that the tool's work exclusively on legitimate infrastructure makes it difficult for security systems to detect suspicious activity.
This case highlights the continued interest of attackers in abusing legitimate cloud services to mask malicious activity and circumvent security mechanisms.
The Google report also separately described a similar activity by an Iranian national group that used office documents with macro support for implementation .NET-a backdoor targeting Windows, codenamed BANANAMAIL. The malware used email as its C2 infrastructure.
"The backdoor uses the IMAP protocol to connect to an attacker-controlled webmail account, where it analyzes emails for commands, executes them, and sends back an email with the results of the work done," the researchers said.
The Google Threat Analysis Team reported that Gmail accounts controlled by attackers that were used by this malware were successfully blocked.
