MeetC2 – A Serverless C2 Framework Leveraging Google Calendar APIs

MeetC2 – A Serverless C2 Framework that Uses Google Calendar APIs as a Communication Channel

MeetC2 is a proof-of-concept (PoC) serverless C2 framework that utilizes the Google Calendar API to create a covert communication channel between operators and a compromised system. This innovative framework mimics cloud abuse techniques, allowing teams to test detection, logging, and response in a controlled environment.

A Growing Concern: Cloud Abuse

Modern adversaries are increasingly hiding command-and-control (C2) traffic within cloud services. This makes it challenging for red and blue teams to detect, log, and respond to cloud abuse scenarios. MeetC2 was designed to address this concern by providing a reproducible way to validate detections, logging, and third-party app governance for cloud-abuse C2 in a controlled environment.

A Successful Internal Exercise

During an internal purple-team exercise, our team witnessed how easily traffic to trusted SaaS domains slipped by. This experience motivated us to build MeetC2, a lightweight and cross-platform PoC that leverages the Google Calendar API to create a hidden communication channel.

How MeetC2 Works

MeetC2 is a cross-platform application (macOS/Linux) that demonstrates how legitimate cloud services can be abused for adversarial operations. Once authenticated, the agent enters a polling loop, sending GET requests every 30 seconds to check for new calendar events containing commands.

The organizer agent posts new events to the same Calendar API endpoint via "organizer" with the command embedded in the event's summary field. The guest agent identifies these command events during its regular polling, extracts and executes the command locally, and then updates the same event via a PUT request to include the command output within the [OUTPUT] parameter in the description field.

MeetC2 Commander

The MeetC2 commander is a simple bash script that can be used to issue commands to the compromised system. It supports various options, including:

  • exec – Execute on all hosts
  • exec @host: – Execute on specific host
  • exec @*: – Execute on all hosts (explicit)
  • list – List recent commands
  • get – Get command output
  • clear – Clear executed events
  • exit – Exit organizer

A Word of Caution: OpSec

While MeetC2 is a functional PoC, it's essential to note that there are improvements to be made in its operational security (OpSec) specifically for the "guest" binary. We recommend using a test GCP project for such a setup and purging it later.

About the Author

Security Researcher Dhiraj Mishra (@mishradhiraj) is the author of this article. Follow him on Twitter: @securityaffairs, Facebook, and Mastodon.