Posted by Virus Bulletin on Oct 29, 2014
Switch likely to make modular malware even stealthier.
Researchers at Shape Security have found a new variant of the IcoScript RAT that makes use of draft emails stored in Gmail, Wired writes.
This summer, we published a paper by G Data researcher Paul Rascagnères, who had discovered the malware, which was most notable for using a Yahoo! Mail box for command and control communication.
We have not seen many details on this new variant, but the fact that IcoScript switched to a new C&C method isn't surprising: the malware is very modular and, as Paul predicted, "it would be easy to switch to another webmail such as Gmail".
The use of email drafts rather than actual email makes detection by the webmail provider even harder. Of course, using email drafts in a shared mailbox for communication isn't a new technique and isn't unique to malware: this is how the 9/11 attackers appear to have communicated, and it is also how US General David Petraeus communicated with his lover.
While indeed very hard to detect, I think it is unlikely that C&C methods like this one will scale to large botnets. For such cases, cybercriminals would need to resort to techniques such as proxy networks.
Posted on 29 October 2014 by Martijn Grooten