A new remote administration Trojan (R.A.T.) has been found to communicate with its bots through command-and-control (C&C) hosted by Yahoo! mail, and could easily communicate with other popular mainstream email providers such as Gmail.
As R.A.T.’s are nothing new to the malware world, its significance stems through the way it communicates instructions and how it circumvents intrusion detection systems (IDS).
R.A.T.s commonly transmit stolen information and upload new data to their victims on specific ports, or by a single centralized server, Paul Rascagnères, researcher at G-Data writes in a blog post. Common tactics are well-known and trigger detection on corporate networks.
The remote administration Trojan dubbed, IcoScript, has gone undetected since 2012. Rascagnères explains the reasoning begin “it is modular, easy to adapt and the flow of traffic is overlooked among the large number of legitimate web requests.” He continues to explain how such traffic is rarely considered suspicious.
IcoScript R.A.T. utilizes Component Object Model technology found in Microsoft Windows, making HTTP requests for remote services through Internet Explorer. Another feature IcoScript makes use of is its uniquely tailored scripting language that helps it perform a number of tasks.
German security firm, G-Data, analyzed IcoScript and found it connected to a Yahoo! Mail account and was controlled by its authors via that mail account. Authors manipulated the malware by sending carefully crafted emails with coded instructions for updates to continue their development.
“Moreover,” Rascagnères writes, “the modular nature of the malware makes it very easy for the attackers to switch to another webmail service, such as Gmail, or even to use services like Facebook or LinkedIn to control the malware while running a low risk of the communication being blocked,” Threatpost reported.
Rascagnères continues saying that incident response teams usually contain malware such as IcoScript by blocking the URL on the proxy. However, IcoScript URLs could not be easily blocked as they were originating from trusted services servers. Researchers note IcoScript will likely progress in efficacy if cybercrminals diversify the malwares command-and-control to various legitimate wemail providers, social networking sites, and cloud storage providers.
“The containment must be performed on the network flow in real time,” Rascagnères concludes. “This approach is harder to realize and to maintain. It demonstrates both that attackers know how incident response teams work, and that they can adapt their communication to make detection and containment both complicated and expensive.”