Google Calendar RAT is a PoC of Command&Control (C2) over Google Calendar Events, This tool has been developed for those circumstances where it is difficult to create an entire red teaming infrastructure.
To use GRC, only a Gmail account is required. The script creates a ‘Covert Channel’ by exploiting the event descriptions in Google Calendar. The target will connect directly to Google.”
It could be considered as a layer 7 application Covert Channel (but some friends would say it cannot be 🙂 very thanks to my mates “Tortellini”
GCR attempt to connect to a valid shared Google Calendar link and after generating a unique ID check for any yet-to-be-executed commands.
If it is not able to find any command, it creates a new one (fixed to “whoami”) as a proof of connection. Every event is composed by two part:
3. The Description, which contains the command to execute and the base64 encoded output using the pipe symbol as separator “|”
Focusing specifically on the network aspect, the only connections established will be to Google’s servers, making the connection appear completely legitimate. Let’s check with process hacker:
which results in this
Pystinger is a Python-based tool that enables SOCKS4 proxying and port mapping through webshells. It…
Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…
Introduction When it comes to cybersecurity, speed and privacy are critical. Public vulnerability databases like…
If you are working with Linux or writing bash scripts, one of the most common…
What is a bash case statement? A bash case statement is a way to control…
Why Do We Check Files in Bash? When writing a Bash script, you often work…