Watch Out! Hackers now use Google Calendar to steal your data
Hackers have uncovered a novel method to exploit Google Calendar for their malicious activities, posing a significant cybersecurity threat to numerous internet users.
Traditionally, cybercriminals have relied on a command and control (C2) infrastructure to execute malicious commands on infected endpoints. This infrastructure often involves compromised servers, but it has a major flaw: cybersecurity professionals are typically quick to detect these connections and halt them.
However, hackers are now leveraging legitimate resources, such as Google Calendar, as C2 infrastructure. This approach significantly complicates the task of security experts who must identify and effectively counter these attacks. Google has already issued a warning to the entire security community about a proof-of-concept exploit known as "Google Calendar RAT" (GCR), circulating on the dark web.
Hackers use Google Calendar to steal your data
GCR operates by clandestinely establishing a channel through the exploitation of event descriptions in Google Calendar. Once a device is compromised with GCR, it regularly scans the Google Calendar event description for new commands, executes these commands on the target device, and then updates the event description with the output of the executed command.
Google has taken measures to disable Gmail accounts controlled by the attackers and used by the malware. However, with the growing adoption of such tactics by hackers, the emergence of tools like GCR raises concerns, as it is likely to be challenging for cybersecurity professionals to thwart all such attacks:
"While we have not seen the use of GCR in the wild to date, Mandiant has noted multiple actors sharing the public proof of concept on underground forums, illustrating the ongoing interest in abusing cloud services. GCR, running on a compromised machine, periodically polls the Calendar event description for new commands, executes those commands on the target device, and then updates the event description with command output." says the Google Report. "According to the developer, GCR communicates exclusively via legitimate infrastructure operated by Google, making it difficult for defenders to detect suspicious activity."
Google Calendar is not the sole application from the American giant to fall victim to hackers. Recently, Google Docs also faced an onslaught. Google Docs provides a sharing option allowing users to enter an email address in a document, notifying the recipient of access to the file. Some hackers have been observed exploiting this feature to disseminate malicious links via email. As these emails appear to originate from Google, they can circumvent email protection services.