A new remote administration Trojan (RAT) receives command and control instructions through Yahoo Mail, and could be easily modified to communicate with its authors through Gmail or other popular webmail providers.
This new RAT’s significance stems primarily from its ability to elude the notice of intrusion detection systems by operating over seemingly benign domains.
According to an analysis written Paul Rascagnères of the German security firm G-Data and published by Virus Bulletin, RATs generally transmit the information they steal from victimized machines over a specified port, or by regularly connecting to remote server. Each of these behaviors are well-known flags that are likely to trigger detection on corporate networks.
This RAT, known as IcoScript, has gone largely undetected since 2012. Part of the reason, Rascagnères explains, is because access to webmail services is rarely blocked or blacklisted in corporate environments and such traffic is very unlikely to be considered suspicious.
IcoScript makes use of Component Object Model technology in Microsoft Windows, making HTTP requests for remote services through Internet Explorer. Another of its novelties is that it appears to use its uniquely tailored scripting language to perform various tasks.
In the sample analyzed by G-Data, IcoScript connected to a Yahoo Mail account controlled by its authors. The authors manipulate the malware by sending specially crafted emails containing coded instructions.
“Moreover,” Rascagnères writes, “the modular nature of the malware makes it very easy for the attackers to switch to another webmail service, such as Gmail, or even to use services like Facebook or LinkedIn to control the malware while running a low risk of the communication being blocked.”
Incident response teams generally contain malware like this, Rascagnères claims, by blocking the URL on the proxy. However, in the case of IcoScript, these URLs are not easily blocked, because they originate from the servers of a trusted service. The efficacy of IcoScript is likely to increase if the attackers diversify the sources of their command can control, configuring samples of the malware to use any number of legitimate webmail providers, social networking sites, and cloud storage services.
“The containment must be performed on the network flow in real time,” Rascagnères concludes. “This approach is harder to realize and to maintain. It demonstrates both that attackers know how incident response teams work, and that they can adapt their communication to make detection and containment both complicated and expensive.”