Connecting to LinkedIn...

W1siziisijiwmtuvmdqvmtuvmdgvntqvmzgvnzi1l01ptlrbu0hfqkxpr19vtljftkrfukvex0lnqudfx3jlc2l6zwrfyw5kx3jlbmrlcmvklmpwzyjdlfsiccisinrodw1iiiwimtkymhgxmjuwiyjdxq

Blog

IcoScript RAT Hides Behind Yahoo! Email Addresses

5/08/2014 by

W1siziisijiwmtqvmtavmjgvmtuvmzivmdgvntm4l2zpbguixsxbinailcj0ahvtyiisijywmhg0mdbcdtawm2uixv0

A classic remote administration tool (RAT) dubbed IcoScript has been discovered, after going undetected since 2012. What makes this malware unique is the fact that it connects to a Yahoo Mail account controlled by its authors to receive instructions - which are stored in specially crafted emails in the inbox.

Virus Bulletin has published a paper by Paul Rascagneres, a researcher from G Data, in which he describes IcoScript as a malware that uses the Component Object Model technology in Microsoft

Windows to control Internet Explorer, and from there make HTTP requests to remote services.

It also uses its own kind of scripting language to perform tasks. To optimize the manipulation of the browser and achieve a modular communication channel, the malware developers created a kind of scripting language. The script is encrypted and concealed in an additional file, used as a configuration file. This is appended to a legitimate ‘.ico’ (icon) file (containing an Adobe Reader logo).

The use of Yahoo! mailboxes is a stroke of genius, the researcher noted, and is a key reason the malware was able to fly under the radar for so long. The attackers can use hundreds of different email accounts with names that are very similar to those of real users. It is very difficult to distinguish fake accounts from real ones. So, this kind of communication can be hard for incident response teams to detect during the containment phase.

“Access to webmail services is rarely blocked in corporate environments and the traffic is very unlikely to be considered suspicious,” Rascagneres said. “Moreover, the modular nature of the malware makes it very easy for the attackers to switch to another webmail service, such as Gmail, or even to use services like Facebook or LinkedIn to control the malware while running a low risk of the communication being blocked. This shows that the attackers understand how incident response teams work, and have used this knowledge to make detection and containment of the malware both complicated and expensive.”

Overall, the technique used by the IcoScript remote administration tool is clever, because it is modular, easy to adapt and the flow of traffic is overlooked among the large number of legitimate web requests.

This article has been extracted from http://www.infosecurity-magazine.com, please click on this link to read the article in full
http://www.infosecurity-magazine.com/news/icoscript-rat-hides-behind-yahoo/

Montash is a multi-award winning, global IT recruitment business. Specialising in permanent and contract positions across mid-senior appointments across a wide range of industry sectors and IT functions, including:

ERP, BI & Data, Information Security, IT Architecture & Strategy, Energy & Technologies, Demand IT and Business Engagement, Digital and E-commerce, Leadership Talent, Infrastructure and Service Delivery, Project and Programme Delivery.

Montash is headquartered in Old Street, London, in the heart of the technology hub. Montash has completed assignments in over 30 countries and has appointed technical professionals from board level to senior and mid management in permanent and contract roles.

comments powered by Disqus

Social Stream

Latest News

W1siziisijiwmtcvmdkvmjkvmdgvmtmvmjkvmjgyl1vudgl0bgvkigrlc2lnbiaomjuplmpwzyjdlfsiccisinrodw1iiiwimzgwedewmcmixv0

Are PSLs a Blocker or an Enabler?

2017-10-02 11:00:00 +0100

The use of a Preferred Supplier List (PSL) was intended to support and strengthen relationships and performance between organisations and their third party suppliers. As the technical landscape continues to evolve at rapid rate recruitment and demand for new skills becomes more intense. Are PSLs still the solution or an obstacle to sourcing the right talent? The traditional PSL A dedicated list of partners intended to guarantee quality and availability ...

W1siziisijiwmtcvmdkvmjevmdgvndmvmduvmtmxl1vudgl0bgvkigrlc2lnbiaomjmplmpwzyjdlfsiccisinrodw1iiiwimzgwedewmcmixv0

Why do we punish the victims of hacking?

2017-09-21 09:00:00 +0100

Hacks occur every 39 seconds, with 95% of them targeting governments, retailers and the tech industry. If the hackers are caught, they'll face prison time under the Computer Misuse Act. More often than not, the businesses who are victims of those attacks expose themselves to punishment of their own. The laws that determine the duty of protection owed to businesses and their customers is both vague and broad, making them question just how much protection...