14 DAY TRIAL // A new variant of IcoScript RAT (remote access Trojan) has been detected to rely on Gmail draft messages to send stolen information to its operator and to receive instructions for further action.
The RAT was discovered in August by security researchers at G Data, who found that it used a hidden Internet Explorer session to access web-based services from Yahoo for communication with the attackers.
At the time, Paul Rascagnares said that changing the email service provider would not be a difficult feat.
Data seeping out surreptitiously
Shape Security, a company that offers a network hardware solution for protecting websites against cyber-attacks, found a new strain of the malware on the systems of one of its clients, according to Wired.
In order to reach the final stage of the compromise and steal the information, several steps have to be taken, and in the example provided by Shape security, it all starts with the creation of an anonymous Gmail account and planting the RAT on the target.
After that, a script intermediates data exchange between the Gmail service and the malware. The connection to the email service is carried out through the Component Object Model (COM) technology that allows programs to access information from web pages through Internet Explorer without launching the browser.
All security products see on the affected computer is legitimate mail traffic, making the attack very difficult to detect.
In the incident observed by Shape Security, the malware launches a hidden Gmail IE session after infecting the computer. Logging into the service is done automatically through a Python script, which also intermediates the communication with the attacker through a draft message.
This way, instructions such as commands to execute or type of information to exfiltrate are received by the threat; data is collected from the victim in the same way.
No malicious traffic detected, data leak is difficult to block
By avoiding commonly used communication protocols (IRC or HTTP), IcoScript ensures a high level of stealth. This, in turn, creates another problem, that of determining the number of infected systems.
However, it is believed that the use of IcoScript is limited to targeted attacks.
Security experts from both G Data and Shape Security agree that blocking an attack of this type is quite difficult and solving the issue falls in the hands of the email service.
Incident response teams work by blocking malicious traffic, whereas in this case, the connection is legitimate and shutting down the email communication is not a valid option.
Wired contacted Google about the matter and received an answer saying that malicious and programmatic usage of Gmail is actively monitored and the abusive accounts identified are removed immediately.