Connect with us

Hi, what are you looking for?



RAT Abuses Yahoo Mail for C&C Communications

Researchers at anti-malware solutions provider G Data Software have analyzed a remote administration tool (RAT) that’s capable of using popular webmail and other types of services for command and control (C&C) communications.

Researchers at anti-malware solutions provider G Data Software have analyzed a remote administration tool (RAT) that’s capable of using popular webmail and other types of services for command and control (C&C) communications.

The threat, dubbed Win32.Trojan.IcoScript.A by the company, has been around since 2012, but has managed to remain undetected until recently, G Data researcher Paul Rascagnères said in a paper (PDF) published on Virus Bulletin.

The IcoScript sample analyzed by the security firm used Yahoo Mail for C&C communications, but experts believe it could have relied on Gmail just as easily. Furthermore, since the RAT is modular, it would not be difficult for the malware writers to adapt their creation for social media platforms like LinkedIn and Facebook, Rascagnères explained.

The malware works by abusing a technology called Component Object Model (COM), which enables inter-process communication and dynamic object creation. COM can be used to control Internet Explorer, and the malware developers have designed the RAT so that it takes full advantage of this feature.

For example, they can hide malicious traffic because HTTP communication is done by the iexplorer.exe process, not the malware itself. Furthermore, since the session is hidden, it’s unlikely that the victim will notice the additional communication by the Web browser.

Another advantage of using COM is the fact that it makes analysis through reverse engineering more difficult since there is no clear evidence of malicious network behavior.  Finally, if the targeted entity’s infrastructure uses a proxy, the malware can leverage the proxy token stored in the user session, the researcher said.

According to Rascagnères, the malware controls the Web browser through an encoded script stored in a separate file, which acts as a configuration file. In order to avoid raising suspicion, this file is appended to a legitimate icon (.ico) file that bears and Adobe Reader logo. This is the aspect that inspired researchers to name the threat IcoScript.

Advertisement. Scroll to continue reading.

Interestingly, the RAT’s developers have created the script that’s used to control the browser with their own scripting language. Various commands are utilized to command Internet Explorer to go to a specified website, control elements on a Web page, enter credentials to access an email account, press buttons, check/uncheck checkboxes, execute files, exfiltrate data and much more.

The malicious activities could remain undetected because the attackers can use hundreds of legitimate-looking email accounts. Furthermore, companies can’t blacklist traffic associated with webmail services, Rascagnères pointed out.

Some intrusion detection systems (IDS) might not be efficient either. The inboxes used by IcoScript store emails containing various instructions. These instructions are inserted between strings like “<<<<<<” and “>>>>>>,” and “+++++++” and “######.” However, because Yahoo Mail traffic is compressed with gzip and it’s only uncompressed in the browser, the IDS can only detect the strings if it can decompress the data on the fly. Another problem would be that HTML obfuscation techniques can also be used to disguise the strings, the expert explained.

“For incident response teams, containment is usually restricted to blocking the URL on the proxy. In this case, the URL cannot easily be blocked and a lot of legitimate requests must not be blocked. Furthermore, the attacker can configure each sample to use multiple legitimate websites such as social networks, webmail sites, cloud services and so on,” Rascagnères said in the research paper. “The containment must be performed on the network flow in real time. This approach is harder to realize and to maintain. It demonstrates both that attackers know how incident response teams work, and that they can adapt their communication to make detection and containment both complicated and expensive.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...