IcoScript trojan uses Yahoo mailboxes to receive commands
August 2014 by
Virus Bulletin has published a paper by Paul Rascagneres, a
researcher from G Data, in which he describes the recently
discovered IcoScript trojan, that had previously gone undetected
since 2012.
IcoScript is a classic remote administration tool (RAT). The
malware uses the Component Object Model technology in Microsoft
Windows to control Internet Explorer to make HTTP requests to
remote services. It also uses its own kind of scripting language
to perform tasks.
What makes this malware unique is the fact that it connects to a
Yahoo Mail account controlled by its authors to receive
instructions - which are stored in specially crafted emails in
the inbox. Access to webmail services is rarely blocked in
corporate environments and the traffic is very unlikely to be
considered suspicious.
Moreover, the modular nature of the malware makes it very easy
for the attackers to switch to another webmail service, such as
Gmail, or even to use services like Facebook or LinkedIn to
control the malware while running a low risk of the
communication being blocked. This shows that the attackers
understand how incident response teams work, and have used this
knowledge to make detection and containment of the malware both
complicated and expensive.
The paper, ’IcoScript - using webmail to control malware’ can be
browsed online at
https://www.virusbtn.com/virusbulletin/archive/2014/08/vb201408-IcoScript
in HTML format, or downloaded as a PDF from
https://www.virusbtn.com/pdf/magazine/2014/vb201408-IcoScript.pdf
(both links can be shared freely)