NET backdoor, “BANANAMAIL.” The service in question was Gmail, used as the C2 infrastructure. The Google Threat Analysis Group (TAG) had reported earlier this year about an Iran-associated Advanced Persistent Threat (APT) group that leveraged macro documents to disperse a miniature. This is not the first instance of threat actors exploiting Google services for their operations. Previous Inside Threats in Google Services According to Google, while the method hasn't been seen in the wild so far, pointers from their Threat Horizons report suggest an exacerbated threat landscape with multiple threat actors sharing the PoC in nefarious underground forums, indicating an escalating interest level in abusing cloud services. This new strategy poses a daunting challenge for cyber defenders as it makes it quite arduous to distinguish between regular activity and suspicious undertakings. The sheer ingenuity of the concept provides an almost perfect cover for threat actors, camouflaging their activities under the veil of Google's legitimate infrastructure. The ‘Covert Channel' establishes a conduit for data transmission that evades regular security mechanisms, and the target device-usually a victim of hacking-hooks up directly to Google in this case. The technique, referred to as Google Calendar RAT, is essentially a public Proof of Concept (PoC) that exploits the event descriptions in Google Calendar to create what's termed a ‘Covert Channel.' A sophisticated group of attackers is employing a novel method, dubbed the “ Google Calendar RAT” to stealthily commandeer this service as their personal C2 infrastructure. In non-technical language, Command and Control (C2) infrastructure can be seen as the headquarters or control center that orchestrates the cyber offensive, dictating how malware behaves once it has infiltrated a device or system.
Online threat actors are exploiting Google's Calendar service to serve as a Command and Control (C2) infrastructure.