Novel Google Cloud RAT Uses Calendar Events for C2

Cybercriminals are abusing legitimate functions within cloud services, and providers can't totally stop them, especially when it comes to innovative approaches like this.

2 Min Read
Apps on the homepage of a phone
Source: GmbH & Co. KG via Alamy Stock Photo

Google is warning the cybersecurity community that attackers are increasingly using native cloud tools to hide their malicious activities.

In its latest Threat Horizons report, Google highlighted a proof-of-concept (PoC) exploit called "Google Calendar RAT," which allowed red teamers and hackers to repurpose Google Calendar events for command-and-control (C2) purposes. It was first posted to GitHub in June, and has been forked 15 times since.

Google has not observed it being deployed in the wild, but has observed multiple users sharing it on cybercriminal forums, indicating at least a passing interest.

The company has since implemented a fix to block this tool, but more, similar malware may be just over the horizon.

"What we're seeing happen is instead of using dedicated C2 nodes, like in the past, threat actors are leveraging cloud services to hide in the background," says Matt Shelton, head of threat research and analysis at Google Cloud, emphasizing that "every cloud service could be used by an attacker to abuse customers."

Hackers Hiding in Cloud Services

Created by IT researcher Valerio Alessandroni, the Google Calendar RAT significantly scaled down the infrastructure a red teamer or attacker would need for command-and-control (C2) purposes.

To use it, an attacker would have only needed to set up a Google service account, then:

  • Obtain its credentials.json file, and place it in the same directory as the malicious script

  • Create a new Google calendar and share it with the service account

  • Edit the script to point to the calendar address

  • Execute commands using the event description field

Running on an infected machine, the RAT periodically checks for such a command, then executes it, and returns its output in the same description field.

Besides its sheer inventiveness, Google Cloud RAT's greatest strength was that it operates entirely over legitimate cloud infrastructure, making the job of identifying and preventing it extra difficult.

"The reason why bad guys are using this is to hide in the noise," Shelton explains, which is why he advises companies to focus on anomaly-based monitoring. "When you're building out a detection strategy within your organization, you really have to think through looking for anomalies and activity that's coming into your system."

He adds, "The reason we wrote about this particular piece of malware is because it is so novel," noting that it may seem less novel very soon. "What we're going to see over the next year, I think, is new ways of using cloud services for illegitimate purposes."

About the Author(s)

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights