This is a small implementation of a recent technique that has been uncovered by security researchers. Threat actors were using PUAs to hide the payloads in Google Calendar files to have the payload obfuscated and to bypass the traditional security mechanisms.

Research: https://www.aikido.dev/blog/youre-invited-delivering-malware-via-google-calendar-invites-and-puas

This is a small tool to generate an ICS file. The tool requires a number of details. This was to understand how ICS implementation can be done using python.

This is the implementation where we are required to provide the URL of the hosted .ics file (Calendar File). The tool will be able to decode the encoded PUAs and then will executed the command.

In this implementation the tool will be fist decoding the commands and then will be requesting whether to have the command executed. In real life scenarios, threat actors can have the payload executed in the memory. Execute the commands and then encode the results in the PUAs and have it exfiltrated using the .ICS files as well.

This is the implemtation of PUAs to encode and decode PUAs payload. That will eventually become part of .ics file.

I have released a web based tool as well to encode and decode the PUAs via web browser. The tool can be found on the below link.

The tool allows the users to do the following.

• Generate the PUAs payloads.
• Decode the PUAs payloads.

https://pua-gen.kamransaifullah.com