Google Docs becomes Google SOCKS: C2 Over Google Drive
Summary
This article describes a technique where Google Drive is used to establish Command and Control (C2) channels, effectively turning Google Docs into a C2 proxy. This method leverages the high volume of legitimate Google traffic to blend in and evade detection.
IFF Assessment
This technique demonstrates a novel way for attackers to maintain persistence and control over compromised systems by mimicking legitimate traffic patterns, making detection more challenging for defenders.
Defender Context
Defenders should be aware of this technique as it bypasses traditional network monitoring that often whitelists major cloud services like Google Drive. Monitoring for unusual file activity, metadata changes, or communication patterns within Google Drive, even if the traffic itself appears legitimate, might be necessary.