A new way to infect computers with malicious software has been found by Wade Williamson, a
security researcher in the Shape Security startup company. What he says is that this attack is actually a similar version of the Remote Access Trojan one (RAT) found by the German security company G-Data in August this year. It was called Icoscript and has been infecting machines since 2012 the company said. The malware was hidden in Yahoo Mails and allowed hackers to remotely command, control and retrieve data from a victim’s computer. The new-found malware is using mails in the draft folders of Google Gmail for the same purposes and this could make it evenhard to detect and remove, Williamson says.
Shape Security researches say that they have for sure found the malware in the strain of a client’s
network. Using the communication channel to command and control the user’s machine, hackers were
able to retrieve stolen data, send program updates and instructions. As the malware was hidden in the
drafts of Gmail, into emails which have never been received or sent, it is very hard to detect they state.
Here’s how the attack actually works:
- First, the hackers set up an anonymous Gmail account and
then they infect the whole network with the malware. - After gaining control over a victim’s machine,
they open the account in a hidden Microsoft Internet Explorer. - IE has a functionality to be start by
programs in order for them to query information from web-pages without the user knowing that a
web-page is open on the computer at all.
Further on, hidden into the Gmail draft messages the malware is programmed to use a Python script
for command and control. The hackers enter the drafts to retrieve the script and activate the malware
which is programmed to infiltrate target data from the user’s computer. All communications have been
encrypted to be unnoticed and are being helped out by the fact that are using a reliable web service
instead of the usual IRC or HTTP protocols.
Partially supported by that trick, the Shape Security researchers could not identify exactly how many
computers might have been infected with the malware. They believe though, because of its nature, it is
strictly designed to attack aimed targets, rather than be used to infect wide range of users.
There is no easy ways for the victims of the attack to protect and hide their data without blocking
Gmail as well. Google would have to confess being affected and make their software security better
to protect their users. To a message request on the issue, a Google spokesman said that their systems
are actively tracking malwares and the use of Gmail services and are quickly removing obsolete Gmail
accounts.
Until finding a new way to detect and remove this malware, there will be problems using the Google
Gmail Williamson thinks though. “It’s the lifeblood of this attack.”, he concludes.
