Connecting to LinkedIn...

W1siziisijiwmtuvmdqvmtuvmdgvntqvmzgvnzi1l01ptlrbu0hfqkxpr19vtljftkrfukvex0lnqudfx3jlc2l6zwrfyw5kx3jlbmrlcmvklmpwzyjdlfsiccisinrodw1iiiwimtkymhgxmjuwiyjdxq

Blog

IcoScript RAT Hides Behind Yahoo! Email Addresses

5/08/2014 by

W1siziisijiwmtqvmtavmjgvmtuvmzivmdgvntm4l2zpbguixsxbinailcj0ahvtyiisijywmhg0mdbcdtawm2uixv0

A classic remote administration tool (RAT) dubbed IcoScript has been discovered, after going undetected since 2012. What makes this malware unique is the fact that it connects to a Yahoo Mail account controlled by its authors to receive instructions - which are stored in specially crafted emails in the inbox.

Virus Bulletin has published a paper by Paul Rascagneres, a researcher from G Data, in which he describes IcoScript as a malware that uses the Component Object Model technology in Microsoft

Windows to control Internet Explorer, and from there make HTTP requests to remote services.

It also uses its own kind of scripting language to perform tasks. To optimize the manipulation of the browser and achieve a modular communication channel, the malware developers created a kind of scripting language. The script is encrypted and concealed in an additional file, used as a configuration file. This is appended to a legitimate ‘.ico’ (icon) file (containing an Adobe Reader logo).

The use of Yahoo! mailboxes is a stroke of genius, the researcher noted, and is a key reason the malware was able to fly under the radar for so long. The attackers can use hundreds of different email accounts with names that are very similar to those of real users. It is very difficult to distinguish fake accounts from real ones. So, this kind of communication can be hard for incident response teams to detect during the containment phase.

“Access to webmail services is rarely blocked in corporate environments and the traffic is very unlikely to be considered suspicious,” Rascagneres said. “Moreover, the modular nature of the malware makes it very easy for the attackers to switch to another webmail service, such as Gmail, or even to use services like Facebook or LinkedIn to control the malware while running a low risk of the communication being blocked. This shows that the attackers understand how incident response teams work, and have used this knowledge to make detection and containment of the malware both complicated and expensive.”

Overall, the technique used by the IcoScript remote administration tool is clever, because it is modular, easy to adapt and the flow of traffic is overlooked among the large number of legitimate web requests.

This article has been extracted from http://www.infosecurity-magazine.com, please click on this link to read the article in full
http://www.infosecurity-magazine.com/news/icoscript-rat-hides-behind-yahoo/

Montash is a multi-award winning, global IT recruitment business. Specialising in permanent and contract positions across mid-senior appointments across a wide range of industry sectors and IT functions, including:

ERP, BI & Data, Information Security, IT Architecture & Strategy, Energy & Technologies, Demand IT and Business Engagement, Digital and E-commerce, Leadership Talent, Infrastructure and Service Delivery, Project and Programme Delivery.

Montash is headquartered in Old Street, London, in the heart of the technology hub. Montash has completed assignments in over 30 countries and has appointed technical professionals from board level to senior and mid management in permanent and contract roles.

comments powered by Disqus

Social Stream

Latest News

W1siziisijiwmtcvmdivmtuvmtyvntivmjuvnzkwl2n5ymvyigf0dgfja3muanbnil0swyjwiiwidgh1bwiilcizodb4mtawiyjdxq

UK threatened by serious cyber attacks every ...

2017-02-15 16:00:00 +0000

The security of the UK has been threatened by 188 serious cyber attacks in the last three months, a government security chief has said. National Cyber Security Centre (NCSC) Chief Executive Ciaran Martin told The Sunday Times that national security was put at risk by many of these attacks. Martin was speaking ahead of the official opening of the NCSC, which has been set up to protect critical services in the UK from such attacks and improve underlying i...

W1siziisijiwmtcvmdivmdgvmtavmzcvmzkvnjkyl0n5ymvyifnly3vyaxr5lmpwzyjdlfsiccisinrodw1iiiwimzgwedewmcmixv0

British cyber security workforce rises 163%

2017-02-08 10:00:00 +0000

Data from the UK has shown that the cyber security workforce has grown considerably over the past five years. According to a new report from cyber skills promotion network Tech Partnership, there are now 58,000 more workers in this industry – a rise of 163 per cent. It shows the growing importance of these professionals, with firms across a vast range of industries turning to cyber security specialists to safeguard their data. To collate the report, the...