Google Calendar RAT is a PoC of Command&Control (C2) over Google Calendar Events, This tool has been developed for those circumstances where it is difficult to create an entire red teaming infrastructure.
To use GRC, only a Gmail account is required. The script creates a ‘Covert Channel’ by exploiting the event descriptions in Google Calendar. The target will connect directly to Google.”
It could be considered as a layer 7 application Covert Channel (but some friends would say it cannot be 🙂 very thanks to my mates “Tortellini”
GCR attempt to connect to a valid shared Google Calendar link and after generating a unique ID check for any yet-to-be-executed commands.
If it is not able to find any command, it creates a new one (fixed to “whoami”) as a proof of connection. Every event is composed by two part:
3. The Description, which contains the command to execute and the base64 encoded output using the pipe symbol as separator “|”
Focusing specifically on the network aspect, the only connections established will be to Google’s servers, making the connection appear completely legitimate. Let’s check with process hacker:
which results in this
Pip is the official package manager for Python and the standard way to install libraries from…
R is an open-source programming language and environment built for statistical computing and data visualization. It…
Jenkins is an open-source automation server that makes it easy to build CI/CD pipelines. Continuous integration…
Android Studio is the official IDE for Android development, built on JetBrains' IntelliJ IDEA platform. It…
GitLab is a web-based, open-source Git repository manager written in Ruby. It includes built-in tools for…
Anaconda is the most widely used Python distribution for data science and machine learning. It bundles…