A classic remote administration tool (RAT) dubbed IcoScript has been discovered, after going undetected since 2012. What makes this malware unique is the fact that it connects to a Yahoo Mail account controlled by its authors to receive instructions - which are stored in specially crafted emails in the inbox.
Virus Bulletin has published a paper by Paul Rascagneres, a researcher from G Data, in which he describes IcoScript as a malware that uses the Component Object Model technology in Microsoft
Windows to control Internet Explorer, and from there make HTTP requests to remote services.
It also uses its own kind of scripting language to perform tasks. To optimize the manipulation of the browser and achieve a modular communication channel, the malware developers created a kind of scripting language. The script is encrypted and concealed in an additional file, used as a configuration file. This is appended to a legitimate ‘.ico’ (icon) file (containing an Adobe Reader logo).
The use of Yahoo! mailboxes is a stroke of genius, the researcher noted, and is a key reason the malware was able to fly under the radar for so long. The attackers can use hundreds of different email accounts with names that are very similar to those of real users. It is very difficult to distinguish fake accounts from real ones. So, this kind of communication can be hard for incident response teams to detect during the containment phase.
“Access to webmail services is rarely blocked in corporate environments and the traffic is very unlikely to be considered suspicious,” Rascagneres said. “Moreover, the modular nature of the malware makes it very easy for the attackers to switch to another webmail service, such as Gmail, or even to use services like Facebook or LinkedIn to control the malware while running a low risk of the communication being blocked. This shows that the attackers understand how incident response teams work, and have used this knowledge to make detection and containment of the malware both complicated and expensive.”
Overall, the technique used by the IcoScript remote administration tool is clever, because it is modular, easy to adapt and the flow of traffic is overlooked among the large number of legitimate web requests.
This article has been extracted from http://www.infosecurity-magazine.com, please click on this link to read the article in full
Montash is a multi-award winning, global IT recruitment business. Specialising in permanent and contract positions across mid-senior appointments across a wide range of industry sectors and IT functions, including:
ERP, BI & Data, Information Security, IT Architecture & Strategy, Energy & Technologies, Demand IT and Business Engagement, Digital and E-commerce, Leadership Talent, Infrastructure and Service Delivery, Project and Programme Delivery.
Montash is headquartered in Old Street, London, in the heart of the technology hub. Montash has completed assignments in over 30 countries and has appointed technical professionals from board level to senior and mid management in permanent and contract roles.