Blog Post

Ritelink Blog > News > NEWS > Google Calendar now being targeted by hackers — what you need to know

Google Calendar now being targeted by hackers — what you need to know

Hackers are always coming up with new ways to avoid being detected and now, they’ve figured out a way to leverage Google Calendar in their attacks.

As reported by The Hacker News, Google has warned that multiple cybercriminals have shared a proof-of-concept (PoC) exploit that lets them use its calendar service to host their command-and-control (C2) infrastructure.

For those unfamiliar, C2 (also known as C&C) generally refers to a hacker-controlled server that is used by cybercriminals to send commands to and receive data from computers that have been compromised by malware. In this case though, this new PoC exploit lets hackers use Google Calendar as their C2 infrastructure just like they’ve done with DiscordTelegram and other legitimate services in the past.

Fortunately, Google has yet to observe this exploit being used in the wild but it has been shared recently on several hacking forums, which means we could see attacks leveraging it or similar tactics in the future.

Google Calendar RAT

The tool itself is called Google Calendar RAT (GCR) and it requires a Gmail account to use Google Calendar events.

In a post on GitHub, researcher Valeria Alessandromi (also known as MrSaighnal online) who created the tool, explained that it creates a ‘Covert Channel’ that hackers can use in their attacks by exploiting event descriptions in Google Calendar. 

In order to use GCR for C2 purposes, an attacker would need to set up a Google service account and then obtain that account’s credentials.json file, which needs to be placed in the same directory as a malicious script  From here, they would then have to create a new Google Calendar event and share it with the service account and edit the malicious script to point to the calendar address. Once this is done though, an attacker could execute commands using the event description field in Google Calendar.

What makes GCR so concerning is that a remote access trojan like this one running on legitimate cloud infrastructure will be much harder for companies and security researchers to detect. Email security checks and even the best antivirus software might miss links to these calendar events, which could then be delivered to potential victims without being flagged as malicious. 

Hackers use a number of different tricks to avoid being detected but with GCR and similar exploits, they don’t need to worry about being found out.

How to stay safe from novel attack methods

New attack methods are released every day and while hackers often use them to go after larger targets like businesses, they could also be used against regular people. For this reason, you should always be extra careful when dealing with links and documents from people you don’t know online.

For instance, if someone you don’t know shares a file with you through Gmail or Google Drive, you shouldn’t rush to open it. Instead, you want to think carefully about the file itself and why this particular person may be sharing it with you. Antivirus software can help you deal with malicious documents while the best identity theft protection services can help you recover funds lost to fraud as well as your identity should it be stolen.

Apart from these tips, educating yourself about the latest tactics used by hackers and cybercriminals can help you stay safe online. Besides stories like this one, it may also be a good idea to dive into the blog posts and reports put out by cybersecurity firms like BitdefenderMalwarebytesTrend Micro and other big players in the field. Fortunately, they all have their own blogs which are regularly updated with new research.

Google Calendar and other Google services are as useful for ordinary people as they could potentially be for hackers in their attacks. This is why we’ll likely continue to see stories about cybercriminals coming up with new ways to abuse them for their own gain.

Leave a comment

Your email address will not be published. Required fields are marked *