Jump to content

RAT Malware Communicating VIA Yahoo Mail


Reefa
 Share

Recommended Posts

IcoScript-RAT-680x400.png

A new remote administration Trojan (RAT) receives command and control instructions through Yahoo Mail, and could be easily modified to communicate with its authors through Gmail or other popular webmail providers.

This new RAT’s significance stems primarily from its ability to elude the notice of intrusion detection systems by operating over seemingly benign domains.

According to an analysis written Paul Rascagnères of the German security firm G-Data and published by Virus Bulletin, RATs generally transmit the information they steal from victimized machines over a specified port, or by regularly connecting to remote server. Each of these behaviors are well-known flags that are likely to trigger detection on corporate networks.

This RAT, known as IcoScript, has gone largely undetected since 2012. Part of the reason, Rascagnères explains, is because access to webmail services is rarely blocked or blacklisted in corporate environments and such traffic is very unlikely to be considered suspicious.

IcoScript makes use of Component Object Model technology in Microsoft Windows, making HTTP requests for remote services through Internet Explorer. Another of its novelties is that it appears to use its uniquely tailored scripting language to perform various tasks.
In the sample analyzed by G-Data, IcoScript connected to a Yahoo Mail account controlled by its authors. The authors manipulate the malware by sending specially crafted emails containing coded instructions.
“Moreover,” Rascagnères writes, “the modular nature of the malware makes it very easy for the attackers to switch to another webmail service, such as Gmail, or even to use services like Facebook or LinkedIn to control the malware while running a low risk of the communication being blocked.”
Incident response teams generally contain malware like this, Rascagnères claims, by blocking the URL on the proxy. However, in the case of IcoScript, these URLs are not easily blocked, because they originate from the servers of a trusted service. The efficacy of IcoScript is likely to increase if the attackers diversify the sources of their command can control, configuring samples of the malware to use any number of legitimate webmail providers, social networking sites, and cloud storage services.
“The containment must be performed on the network flow in real time,” Rascagnères concludes. “This approach is harder to realize and to maintain. It demonstrates both that attackers know how incident response teams work, and that they can adapt their communication to make detection and containment both complicated and expensive.”
Edited by F3dupsk1Nup
Link to comment
Share on other sites

  • Replies 4
  • Created
  • Last Reply

Top Posters In This Topic

  • humble3d

    1

  • Reefa

    3

  • Ponting

    1

Top Posters In This Topic

:lol: Yahoo has not improved...

Left them years ago M8..And any google associated mail :shit:

Link to comment
Share on other sites

Left them years ago M8..And any google associated mail :shit:

So what do you use now? :unsure:

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...