A classic remote administration tool (RAT) dubbed IcoScript has been discovered, after going undetected since 2012. What makes this malware unique is the fact that it connects to a Yahoo Mail account controlled by its authors to receive instructions - which are stored in specially crafted emails in the inbox.
Virus Bulletin has published a paper by Paul Rascagneres, a researcher from G Data, in which he describes IcoScript as a malware that uses the Component Object Model technology in Microsoft
Windows to control Internet Explorer, and from there make HTTP requests to remote services.
It also uses its own kind of scripting language to perform tasks. To optimize the manipulation of the browser and achieve a modular communication channel, the malware developers created a kind of scripting language. The script is encrypted and concealed in an additional file, used as a configuration file. This is appended to a legitimate ‘.ico’ (icon) file (containing an Adobe Reader logo).
The use of Yahoo! mailboxes is a stroke of genius, the researcher noted, and is a key reason the malware was able to fly under the radar for so long. The attackers can use hundreds of different email accounts with names that are very similar to those of real users. It is very difficult to distinguish fake accounts from real ones. So, this kind of communication can be hard for incident response teams to detect during the containment phase.
“Access to webmail services is rarely blocked in corporate environments and the traffic is very unlikely to be considered suspicious,” Rascagneres said. “Moreover, the modular nature of the malware makes it very easy for the attackers to switch to another webmail service, such as Gmail, or even to use services like Facebook or LinkedIn to control the malware while running a low risk of the communication being blocked. This shows that the attackers understand how incident response teams work, and have used this knowledge to make detection and containment of the malware both complicated and expensive.”
Overall, the technique used by the IcoScript remote administration tool is clever, because it is modular, easy to adapt and the flow of traffic is overlooked among the large number of legitimate web requests.
“Malware developers constantly work to improve the communication between the infected machines and the command and control servers,” he added. “For incident response teams, containment is usually restricted to blocking the URL on the proxy. In this case, the URL cannot easily be blocked and a lot of legitimate requests must not be blocked.”
Furthermore, the attacker can configure each sample to use multiple legitimate websites such as social networks, webmail sites, cloud services and so on. “The containment must be performed on the network flow in real time,” noted Rascagneres. “This approach is harder to realize and to maintain. It demonstrates both that attackers know how incident response teams work, and that they can adapt their communication to make detection and containment both complicated and expensive.”