Researchers at anti-malware solutions provider G Data Software have analyzed a remote administration tool (RAT) that’s capable of using popular webmail and other types of services for command and control (C&C) communications.
The threat, dubbed Win32.Trojan.IcoScript.A by the company, has been around since 2012, but has managed to remain undetected until recently, G Data researcher Paul Rascagnères said in a paper (PDF) published on Virus Bulletin.
The IcoScript sample analyzed by the security firm used Yahoo Mail for C&C communications, but experts believe it could have relied on Gmail just as easily. Furthermore, since the RAT is modular, it would not be difficult for the malware writers to adapt their creation for social media platforms like LinkedIn and Facebook, Rascagnères explained.
The malware works by abusing a technology called Component Object Model (COM), which enables inter-process communication and dynamic object creation. COM can be used to control Internet Explorer, and the malware developers have designed the RAT so that it takes full advantage of this feature.
For example, they can hide malicious traffic because HTTP communication is done by the iexplorer.exe process, not the malware itself. Furthermore, since the session is hidden, it’s unlikely that the victim will notice the additional communication by the Web browser.
Another advantage of using COM is the fact that it makes analysis through reverse engineering more difficult since there is no clear evidence of malicious network behavior. Finally, if the targeted entity’s infrastructure uses a proxy, the malware can leverage the proxy token stored in the user session, the researcher said.
According to Rascagnères, the malware controls the Web browser through an encoded script stored in a separate file, which acts as a configuration file. In order to avoid raising suspicion, this file is appended to a legitimate icon (.ico) file that bears and Adobe Reader logo. This is the aspect that inspired researchers to name the threat IcoScript.
Interestingly, the RAT’s developers have created the script that’s used to control the browser with their own scripting language. Various commands are utilized to command Internet Explorer to go to a specified website, control elements on a Web page, enter credentials to access an email account, press buttons, check/uncheck checkboxes, execute files, exfiltrate data and much more.
The malicious activities could remain undetected because the attackers can use hundreds of legitimate-looking email accounts. Furthermore, companies can’t blacklist traffic associated with webmail services, Rascagnères pointed out.
Some intrusion detection systems (IDS) might not be efficient either. The inboxes used by IcoScript store emails containing various instructions. These instructions are inserted between strings like “<<<<<<” and “>>>>>>,” and “+++++++” and “######.” However, because Yahoo Mail traffic is compressed with gzip and it’s only uncompressed in the browser, the IDS can only detect the strings if it can decompress the data on the fly. Another problem would be that HTML obfuscation techniques can also be used to disguise the strings, the expert explained.
“For incident response teams, containment is usually restricted to blocking the URL on the proxy. In this case, the URL cannot easily be blocked and a lot of legitimate requests must not be blocked. Furthermore, the attacker can configure each sample to use multiple legitimate websites such as social networks, webmail sites, cloud services and so on,” Rascagnères said in the research paper. “The containment must be performed on the network flow in real time. This approach is harder to realize and to maintain. It demonstrates both that attackers know how incident response teams work, and that they can adapt their communication to make detection and containment both complicated and expensive.”