Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

RAT Abuses Yahoo Mail for C&C Communications

Researchers at anti-malware solutions provider G Data Software have analyzed a remote administration tool (RAT) that’s capable of using popular webmail and other types of services for command and control (C&C) communications.

Researchers at anti-malware solutions provider G Data Software have analyzed a remote administration tool (RAT) that’s capable of using popular webmail and other types of services for command and control (C&C) communications.

The threat, dubbed Win32.Trojan.IcoScript.A by the company, has been around since 2012, but has managed to remain undetected until recently, G Data researcher Paul Rascagnères said in a paper (PDF) published on Virus Bulletin.

The IcoScript sample analyzed by the security firm used Yahoo Mail for C&C communications, but experts believe it could have relied on Gmail just as easily. Furthermore, since the RAT is modular, it would not be difficult for the malware writers to adapt their creation for social media platforms like LinkedIn and Facebook, Rascagnères explained.

The malware works by abusing a technology called Component Object Model (COM), which enables inter-process communication and dynamic object creation. COM can be used to control Internet Explorer, and the malware developers have designed the RAT so that it takes full advantage of this feature.

For example, they can hide malicious traffic because HTTP communication is done by the iexplorer.exe process, not the malware itself. Furthermore, since the session is hidden, it’s unlikely that the victim will notice the additional communication by the Web browser.

Another advantage of using COM is the fact that it makes analysis through reverse engineering more difficult since there is no clear evidence of malicious network behavior.  Finally, if the targeted entity’s infrastructure uses a proxy, the malware can leverage the proxy token stored in the user session, the researcher said.

According to Rascagnères, the malware controls the Web browser through an encoded script stored in a separate file, which acts as a configuration file. In order to avoid raising suspicion, this file is appended to a legitimate icon (.ico) file that bears and Adobe Reader logo. This is the aspect that inspired researchers to name the threat IcoScript.

Interestingly, the RAT’s developers have created the script that’s used to control the browser with their own scripting language. Various commands are utilized to command Internet Explorer to go to a specified website, control elements on a Web page, enter credentials to access an email account, press buttons, check/uncheck checkboxes, execute files, exfiltrate data and much more.

Advertisement. Scroll to continue reading.

The malicious activities could remain undetected because the attackers can use hundreds of legitimate-looking email accounts. Furthermore, companies can’t blacklist traffic associated with webmail services, Rascagnères pointed out.

Some intrusion detection systems (IDS) might not be efficient either. The inboxes used by IcoScript store emails containing various instructions. These instructions are inserted between strings like “<<<<<<” and “>>>>>>,” and “+++++++” and “######.” However, because Yahoo Mail traffic is compressed with gzip and it’s only uncompressed in the browser, the IDS can only detect the strings if it can decompress the data on the fly. Another problem would be that HTML obfuscation techniques can also be used to disguise the strings, the expert explained.

“For incident response teams, containment is usually restricted to blocking the URL on the proxy. In this case, the URL cannot easily be blocked and a lot of legitimate requests must not be blocked. Furthermore, the attacker can configure each sample to use multiple legitimate websites such as social networks, webmail sites, cloud services and so on,” Rascagnères said in the research paper. “The containment must be performed on the network flow in real time. This approach is harder to realize and to maintain. It demonstrates both that attackers know how incident response teams work, and that they can adapt their communication to make detection and containment both complicated and expensive.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.