New IcoScript variant uses Gmail drafts for C&C communication

Posted by   Virus Bulletin on   Oct 29, 2014

Switch likely to make modular malware even stealthier.

Researchers at Shape Security have found a new variant of the IcoScript RAT that makes use of draft emails stored in Gmail, Wired writes.

This summer, we published a paper by G Data researcher Paul Rascagnères, who had discovered the malware, which was most notable for using a Yahoo! Mail box for command and control communication.

We have not seen many details on this new variant, but the fact that IcoScript switched to a new C&C method isn't surprising: the malware is very modular and, as Paul predicted, "it would be easy to switch to another webmail such as Gmail".

The use of email drafts rather than actual email makes detection by the webmail provider even harder. Of course, using email drafts in a shared mailbox for communication isn't a new technique and isn't unique to malware: this is how the 9/11 attackers appear to have communicated, and it is also how US General David Petraeus communicated with his lover.

While indeed very hard to detect, I think it is unlikely that C&C methods like this one will scale to large botnets. For such cases, cybercriminals would need to resort to techniques such as proxy networks.

Posted on 29 October 2014 by Martijn Grooten



Latest posts:

VB2017 paper: The life story of an IPT - Inept Persistent Threat actor

At VB2017 in Madrid, Polish security researcher and journalist Adam Haertlé presented a paper about a very inept persistent threat. Today, we publish both the paper and the recording of Adam's presentation.

Five reasons to submit a VB2018 paper this weekend

The call for papers for VB2018 closes on 18 March, and while we've already received many great submissions, we still want more! Here are five reasons why you should submit a paper this weekend.

First partners of VB2018 announced

We are excited to announce the first six companies to partner with VB2018.

VB2018: looking for technical and non-technical talks

We like to pick good, solid technical talks for the VB conference programme, but good talks don't have to be technical and we welcome less technical submissions just as much.

Partner with VB2018 for extra visibility among industry peers

Partnering with the VB conference links your company to a successful and well-established event, demonstrates your commitment to moving the industry forward, allows you to meet potential clients, be visible to industry peers and build lasting…