Gmail Draft Messages Steal Data

Monday, November 3, 2014 @ 04:11 PM gHale

A new variant of IcoScript RAT relies on Gmail draft messages to send stolen information to its operator and to receive instructions for further action.

The remote access Trojan (RAT), discovered in August by security researchers at G Data Software, uses a hidden Internet Explorer session to access web-based services from Yahoo for communication with the attackers.

Tool to Spy on Bad Guys
Malware Team Uses RAT
Faux Security Program is a RAT
Android RAT can Take Control

At the time, Paul Rascagnares, a senior threat analyst at G DATA Software, said changing the email service provider would not be a difficult feat.

Shape Security, a company that offers a network hardware solution for protecting websites against cyber-attacks, found a new strain of the malware on the systems of one of its clients.

In order to reach the final stage of the compromise and steal the information, several steps have to occur, and in the example provided by Shape security, it all starts with the creation of an anonymous Gmail account and planting the RAT on the target.

After that, a script intermediates data exchange between the Gmail service and the malware. The connection to the email service carries out through the Component Object Model (COM) technology that allows programs to access information from web pages through Internet Explorer without launching the browser.

All security products see on the affected computer is legitimate mail traffic, making the attack very difficult to detect.

In the one incident, the malware launches a hidden Gmail IE session after infecting the computer. Logging into the service occurs automatically through a Python script, which also intermediates the communication with the attacker through a draft message.

This way, instructions such as commands to execute or type of information to exfiltrate end up received by the threat; data collected from the victim occurs in the same way.

Researchers from G Data and Shape Security agree blocking an attack of this type is difficult and solving the issue falls in the hands of the email service.

Leave a Reply

You must be logged in to post a comment.