base on Google Calendar RAT is a PoC of Command&Control over Google Calendar Events <p align="center"> <img alt="GCR" src="https://github.com/MrSaighnal/GCR-Google-Calendar-RAT/blob/main/images/logo.png?raw=true" height="200" /><br /> <a href="https://twitter.com/mrsaighnal"><img src="https://img.shields.io/twitter/follow/mrsaighnal?style=social" alt="twitter" style="text-align:center;display:block;"></a> </p> <p align="left"> # GCR - Google Calendar RAT Google Calendar RAT is a PoC of Command&amp;Control (C2) over Google Calendar Events, This tool has been developed for those circumstances where it is difficult to create an entire red teaming infrastructure. To use GRC, only a Gmail account is required. The script creates a 'Covert Channel' by exploiting the event descriptions in Google Calendar. The target will connect directly to Google." It could be considered as a layer 7 application Covert Channel (but some friends would say it cannot be :) very thanks to my mates "Tortellini" https://aptw.tf )  ## POC  ## How it works GCR attempt to connect to a valid shared Google Calendar link and after generating a unique ID check for any yet-to-be-executed commands. If it is not able to find any command, it creates a new one (fixed to "whoami") as a proof of connection. Every event is composed by two part: 1. The Title, which contains the unique ID, it means you can schedule multiple commands creating events having the same unique ID as name  3. The Description, which contains the command to execute and the base64 encoded output using the pipe symbol as separator "|"  ## Workflow Attack  ## What a SOC analyst/Blue Teamer will see? Focusing specifically on the network aspect, the only connections established will be to Google's servers, making the connection appear completely legitimate. Let's check with process hacker:   which results in this   ## How to use it - Setup a Google service account and obtain the credentials.json file, place the file in the same directory of the script - Create a new Google calendar and share it with the new created service account - Edit the script to point your calendar address - Once executed on the target machine an event with a unique target ID is automatically created autoexecuting the "whoami" command - Use the following syntax in the event description for the communication => CLEAR_COMMAND|BASE64_OUTPUT ### Examples: - "whoami|" - "net users|" - The date is fixed on May 30th, 2023. You can create unlimited events using the unique ID as the event name. ## Disclaimer and notes Google Calendar RAT has been made in Italy with ❤️<p> I prefer to consider this project as a game rather than an experiment :) Please do not use it for illegal purpose. I take no responsibility for the use that will be made of it <p> IT IS JUST A POC IN PYTHON, PLEASE DO NOT ASK ME HOW TO WEAPONIZE IT! ## Video discussion [](https://youtu.be/yNnhdrjaCd0?si=cGaD2h7DFMciE1lY&t=2250) ## Related articles - [Google](https://services.google.com/fh/files/blogs/gcat_threathorizons_full_oct2023.pdf) - [Microsoft](https://www.msn.com/en-us/news/technology/even-google-calendar-isnt-safe-from-hackers-any-more/ar-AA1juBQk) - [Android Headlines](https://www.androidheadlines.com/2023/11/google-calendar-exploited-new-remote-access-trojan-rat.html) - [BitDefender](https://www.bitdefender.com/blog/hotforsecurity/google-warns-of-google-calendar-rat-exploit-in-security-report/) - [The Hacker News](https://thehackernews.com/2023/11/google-warns-of-hackers-absing-calendar.html) - [Linkedin](https://www.linkedin.com/pulse/unmasking-google-calendar-rat-gcr-new-covert-cc-hqq0c/?trk=article-ssr-frontend-pulse_more-articles_related-content-card) - [Security Affairs](https://securityaffairs.com/153700/hacking/google-calendar-rat-attacks.html) - [Medium](https://chennylmf.medium.com/unveiling-the-cunning-a-demo-of-google-calendar-rat-exploiting-calendar-service-for-c2-operations-d6ee0b2f8011) - [PC Magazine](https://www.pcmag.com/news/google-calendar-is-a-potential-tool-for-hackers-to-control-malware) - [VPNOverview](https://vpnoverview.com/news/google-calendar-can-be-used-to-spread-malware-report-warns/) - [SoftTonic](https://en.softonic.com/articles/not-even-google-calendar-is-free-from-hackers) - [Cybersecurity News](https://cybersecuritynews.com/google-calendar-rat/) - [Cyber Material](https://cybermaterial.com/threat-actors-exploit-google-calendar/) - [DarkReading](https://www.darkreading.com/cloud/google-cloud-rat-calendar-events-command-and-control) - [Vulners](https://vulners.com/thn/THN:59821E9D5171515534AD05F1337FF45D) - [ExploitOne](https://www.exploitone.com/tutorials/this-google-calendar-technique-allows-to-hack-into-companies-without-getting-detected/) - [Wired (italian)](https://www.wired.it/article/google-calendar-attacchi-informatici-malware/) - [Punto Informatico (italian)](https://www.punto-informatico.it/google-calendar-nuovo-bersaglio-hacker/) - [Il Software (italian)](https://www.ilsoftware.it/google-calendar-rat-hacker-sfruttano-calendar-per-i-loro-attacchi/) - [Red Hot Cyber (italian)](https://www.redhotcyber.com/post/google-calendar-utilizzato-come-comand-control-per-la-gestione-dei-malware/) ## Similar (External) Projects - [GSR - Google-Slides-RAT (by [Me] MrSaighnal)](https://github.com/MrSaighnal/GSR-Google-Slides-RAT) - [GC2-Sheet (by Lorenzo Grazian)](https://github.com/looCiprian/GC2-sheet) ", Assign "at most 3 tags" to the expected json: {"id":"4746","tags":[]} "only from the tags list I provide: [{"id":77,"name":"3d"},{"id":89,"name":"agent"},{"id":17,"name":"ai"},{"id":54,"name":"algorithm"},{"id":24,"name":"api"},{"id":44,"name":"authentication"},{"id":3,"name":"aws"},{"id":27,"name":"backend"},{"id":60,"name":"benchmark"},{"id":72,"name":"best-practices"},{"id":39,"name":"bitcoin"},{"id":37,"name":"blockchain"},{"id":1,"name":"blog"},{"id":45,"name":"bundler"},{"id":58,"name":"cache"},{"id":21,"name":"chat"},{"id":49,"name":"cicd"},{"id":4,"name":"cli"},{"id":64,"name":"cloud-native"},{"id":48,"name":"cms"},{"id":61,"name":"compiler"},{"id":68,"name":"containerization"},{"id":92,"name":"crm"},{"id":34,"name":"data"},{"id":47,"name":"database"},{"id":8,"name":"declarative-gui "},{"id":9,"name":"deploy-tool"},{"id":53,"name":"desktop-app"},{"id":6,"name":"dev-exp-lib"},{"id":59,"name":"dev-tool"},{"id":13,"name":"ecommerce"},{"id":26,"name":"editor"},{"id":66,"name":"emulator"},{"id":62,"name":"filesystem"},{"id":80,"name":"finance"},{"id":15,"name":"firmware"},{"id":73,"name":"for-fun"},{"id":2,"name":"framework"},{"id":11,"name":"frontend"},{"id":22,"name":"game"},{"id":81,"name":"game-engine "},{"id":23,"name":"graphql"},{"id":84,"name":"gui"},{"id":91,"name":"http"},{"id":5,"name":"http-client"},{"id":51,"name":"iac"},{"id":30,"name":"ide"},{"id":78,"name":"iot"},{"id":40,"name":"json"},{"id":83,"name":"julian"},{"id":38,"name":"k8s"},{"id":31,"name":"language"},{"id":10,"name":"learning-resource"},{"id":33,"name":"lib"},{"id":41,"name":"linter"},{"id":28,"name":"lms"},{"id":16,"name":"logging"},{"id":76,"name":"low-code"},{"id":90,"name":"message-queue"},{"id":42,"name":"mobile-app"},{"id":18,"name":"monitoring"},{"id":36,"name":"networking"},{"id":7,"name":"node-version"},{"id":55,"name":"nosql"},{"id":57,"name":"observability"},{"id":46,"name":"orm"},{"id":52,"name":"os"},{"id":14,"name":"parser"},{"id":74,"name":"react"},{"id":82,"name":"real-time"},{"id":56,"name":"robot"},{"id":65,"name":"runtime"},{"id":32,"name":"sdk"},{"id":71,"name":"search"},{"id":63,"name":"secrets"},{"id":25,"name":"security"},{"id":85,"name":"server"},{"id":86,"name":"serverless"},{"id":70,"name":"storage"},{"id":75,"name":"system-design"},{"id":79,"name":"terminal"},{"id":29,"name":"testing"},{"id":12,"name":"ui"},{"id":50,"name":"ux"},{"id":88,"name":"video"},{"id":20,"name":"web-app"},{"id":35,"name":"web-server"},{"id":43,"name":"webassembly"},{"id":69,"name":"workflow"},{"id":87,"name":"yaml"}]" returns me the "expected json"