Switch likely to make modular malware even stealthier.
Researchers at
Shape Security
have found a new variant of the IcoScript RAT that makes use of draft emails stored in
Gmail
,
Wired
writes
.
This summer, we published a
paper
by
G Data
researcher Paul Rascagnères, who had discovered the malware, which was most notable for using a
Yahoo! Mail
box for command and control communication.
We have not seen many details on this new variant, but the fact that IcoScript switched to a new C&C method isn’t surprising: the malware is very modular and, as Paul predicted, “it would be easy to switch to another webmail such as
Gmail
“.
The use of email drafts rather than actual email makes detection by the webmail provider even harder. Of course, using email drafts in a shared mailbox for communication isn’t a new technique and isn’t unique to malware: this is how the 9/11 attackers appear to have communicated, and it is also how US General David Petraeus communicated with his lover.
While indeed very hard to detect, I think it is unlikely that C&C methods like this one will scale to large botnets. For such cases, cybercriminals would need to resort to techniques such as
proxy networks
.
Posted on 29 October 2014 by
Martijn Grooten
Leave a Reply