Pierluigi Paganini August 05, 2014

Experts at the German security firm G-Data discovered a RAT dubbed IcoScript which receives commands from C&C via email services including Yahoo and Gmail.

Security experts have detected a new Remote Administration Trojan dubbed IcoScript which is controlled by bad actors through Yahoo Mail and is able to elude detection systems by using seemingly benign domains for C&C.

A researcher at the German security firm G-Data, Paul Rascagnères, has published an interesting analysis of the Remote Administration Trojan on Virus Bulletin, the malware syphons data from victims and transmits it connecting to a remote server over a specific port.

“This sample is a classic remote administration tool (RAT) but it has a particular way of communicating with its control server. It is very modular and it abuses popular web platforms (like Yahoo andGmail) for command and control communication.” reports the blog post.

The instance of IcoScript analyzed by experts at G-Data was using a Yahoo Mail account to receive commands from the C&C, the malicious code is controlled by sending specially crafted emails containing coded instructions.

“The attackers can use hundreds of different email accounts with names that are very similar to those of real users. It is very difficult to distinguish fake accounts from real ones.” “The step G is a crucial one. In addition to exfiltrating data, the malware checks available email in the mailbox (thanks to step E) and looks for the string pattern <<<<<<<< … >>>>>>>>. ” states the report.

The experts added that the IcoScript RAT, that is going undetected since 2012, could be easily modified to use as communication channel also other popular webmail providers, including Gmail.

 “We imagine that the author(s) can also use social media platforms such as Facebook and LinkedIn.” said the researcher.

The bad actors behind the IcoScript have chosen this mode to communicate with C&C because access to webmail services doesn’t trigger suspects for security teams of targeted organizations.

IcoScript uses Component Object Model to implement a communication channel on Windows systems, it makes HTTP requests for remote services through Internet Explorer, in case the targeted system uses a proxy (with authentication), the RAT is able to reuse the proxy token stored in the user session.

As explained by the researcher bad actors could improve IcoScript diversifying the sources of their command can control, making possible the malware accepting commands sent via any number of legitimate webmail providers, could storage services and social networking sites.

Pierluigi Paganini

(Security Affairs –  IcoScript,  RAT)