Novel Google Cloud RAT Uses Calendar Events for C2

Novel Google Cloud RAT Uses Calendar Events for C2

Google is warning the cybersecurity community that attackers are increasingly using native cloud tools to hide their malicious activities.

In its latest Threat Horizons report, Google highlighted a proof-of-concept (PoC) exploit called “Google Calendar RAT,” which allowed red teamers and hackers to repurpose Google Calendar events for command-and-control (C2) purposes. It was first posted to GitHub in June, and has been forked 15 times since.

Google has not observed it being deployed in the wild, but has observed multiple users sharing it on cybercriminal forums, indicating at least a passing interest.

The company has since implemented a fix to block this tool, but more, similar malware may be just over the horizon.

“What we’re seeing happen is instead of using dedicated C2 nodes, like in the past, threat actors are leveraging cloud services to hide in the background,” says Matt Shelton, head of threat research and analysis at Google Cloud, emphasizing that “every cloud service could be used by an attacker to abuse customers.”

Hackers Hiding in Cloud Services

Created by IT researcher Valerio Alessandroni, the Google Calendar RAT significantly scaled down the infrastructure a red teamer or attacker would need for command-and-control (C2) purposes.

To use it, an attacker would have only needed to set up a Google service account, then:

Obtain its credentials.json file, and place it in the same directory as the malicious script

Create a new Google calendar and share it with the service account

Edit the script to point to the calendar address

Execute commands using the event description field

Running on an infected machine, the RAT periodically checks for such a command, then executes it, and returns its output in the same description field.

Besides its sheer inventiveness, Google Cloud RAT’s greatest strength was that it operates entirely over legitimate cloud infrastructure, making the job of identifying and preventing it extra difficult.

“The reason why bad guys are using this is to hide in the noise,” Shelton explains, which is why he advises companies to focus on anomaly-based monitoring. “When you’re building out a detection strategy within your organization, you really have to think through looking for anomalies and activity that’s coming into your system.”

He adds, “The reason we wrote about this particular piece of malware is because it is so novel,” noting that it may seem less novel very soon. “What we’re going to see over the next year, I think, is new ways of using cloud services for illegitimate purposes.”