Security researchers discovered a new piece of malware that managed to evade detection since 2012 by relying on web platforms such as Yahoo and Gmail to communicate with the command and control servers.


Dubbed IcoScript by Paul Rascagneres from the German security firm G Data, the malware is a remote access tool (RAT), modular in architecture. It leverages the Component Object Model (COM) technology in Windows that can be used to control Internet Explorer.

Rascagneres says that it is “useful for malware developers because it allows them to manipulate the browser that is being used by a legitimate user.”

Among the advantages he points out is HTTP communication being performed by the IE’s process and not the malware piece. On the same note, because the browser session is hidden, there is no evidence of additional communication through the web browser.

Making use of an encrypted script, the threat actor optimizes “the manipulation of the browser and achieve a modular communication channel,” a VirusBulletin report on the researcher’s analysis says.

By decrypting the script, Rascagneres found that it included a multi-step action, with variables and values designed to offer the attacker the possibility to access specific online locations, pointing the information to upload, control elements and IE actions in web pages, or retrieve contents of iFrames and hidden elements on the page.

In an example provided by the researcher, IcoScript can use COM to connect to Yahoo email service through Internet Explorer, fill in the username and password fields, exfiltrate data, as well as execute commands sent through emails.

In the analyzed sample the malware used Yahoo email, but changing the platform, to Gmail, Facebook, or LinkedIn should not be difficult to achieve, says Rascagneres.

The choice to use popular email services is what allowed the malware to escape detection, since this type of traffic is not blacklisted by companies. Also, the intrusion detection systems (ISD) do not detect the strings marking the commands in the emails “because the network flow of Yahoo webmail is compressed with gzip. The data is only uncompressed in the user’s browser, so the IDS would have to uncompress on the fly.”

IcoScript is quite difficult to block because incident response teams generally block the bad URL on the proxy, but in this case communication occurs through legitimate channels, which cannot be blacklisted.

“It demonstrates both that attackers know how incident response teams work, and that they can adapt their communication to make detection and containment both complicated and expensive,” concludes the security researcher.
Kepler Reviewed by Kepler on . Yahoo/Gmail Used by Malware for Communication http://i1-news.softpedia-static.com/images/news-700/Yahoo-Gmail-Used-by-Malware-For-Communication.jpg Security researchers discovered a new piece of malware that managed to evade detection since 2012 by relying on web platforms such as Yahoo and Gmail to communicate with the command and control servers. Dubbed IcoScript by Paul Rascagneres from the German security firm G Data, the malware is a remote access tool (RAT), modular in architecture. It leverages the Component Object Rating: 5