Cybercriminals can use Google Calendar to spread malware and swipe data from compromised devices, Google said in a recent report.
While Google’s Threat Analysis Group has not seen this happening “in the wild to date,” their warning lends credence to a proof-of-concept (PoC) that claims this is possible.
The PoC, published on GitHub in June, includes the code for a tool called Google Calendar RAT (GCR) that allows threat actors to integrate Google Calendar into their command and control (C2) infrastructure.
“The tool enables an attacker to place commands in the event description field of Google Calendar events,” Google’s 2023 Q3 Threat Horizons Report reads.
“GCR, running on a compromised machine, periodically polls the Calendar event description for new commands, executes those commands on the target device, and then updates the event description with command output,” Google Threat Analysis Group (TAG) explained.
Hiding in Plain Sight
According to American cybersecurity firm Mandiant, threat actors have been sharing this PoC on dark web forums, indicating their “ongoing interest in abusing cloud services,” Google’s report noted.
Using Google Calendar to host their C2 infrastructure is a sneaky strategy that allows cybercriminals to go unnoticed. Google said threat actors are increasingly abusing legitimate cloud services in their campaigns.
“All cloud vendors and their products are affected by this type of abuse,” Google’s TAG said. This isn’t the first time cybercriminals have found a way to exploit Google’s products for their nefarious schemes. Threat actors have also been found using other popular cloud services like Sharepoint, Amazon Web Services, Google Drive, and Dropbox in their campaigns, sometimes alongside persistent threats like Google Lead Services malware
Valerio “MrSaighnal” Alessandroni, the cybersecurity researcher who created GCR, told VPNOverview that this isn’t a vulnerability but an alternative approach that uses “a legitimate tool in an illegitimate manner.”
“A knife is just a tool; it’s how it’s used that determines whether it’s a weapon or a simple cooking utensil,” Alessandroni said, adding that he expects Google to take the necessary measures to prevent threat actors from abusing Calendar.
Protecting Yourself When Legitimate Services Are Used in Cyberattacks
Besides using cybersecurity tools, Alessandroni emphasized the importance of cybersecurity awareness in protecting against such attacks.
“For an average user, knowing the basic cybersecurity best practices can be a great help in preventing threats. To give a fun example, driving a car poses risks; not everyone needs to become a Formula 1 driver to drive safely, but driving with your eyes open after getting your driver’s license is a must,” he said.
Meanwhile, Google’s TAG recommends a defense-in-depth approach, using Intrusion Detection Systems (IDS) and network segmentation to mitigate risks. Additionally, establishing baselines for network traffic and implementing robust logging can help to spot unusual activities.
“Consider Google Cloud’s best practices and reference architectures for VPC design,” Google told cyber defenders.
While Google works on securing its ecosystem, you can protect yourself from these threats by practicing proper cyber hygiene and using top-rated antivirus software.
Read our guide to the best antivirus software to see our top picks and learn more about why you need antivirus software.
For more news, follow us on X (Twitter), Threads, and Mastodon!
