Researcher from Shape Security, a company that offers a network hardware solution for protecting websites against cyber-attacks, found a new strain of the malware on the systems of one of its clients. They found a furtive form of “command and control”—the communications channel that connects hackers to their malicious software—allowing them to send the programs updates and instructions and retrieve stolen data. All the commands that hackers is using is hidden in the Gmail draft (conversation or mail that never sent), that makes it difficult to detect.
About the Process
Researcher explains the process who hackers have used this technique to infect users computer and take control over it. The hacker first set up an anonymous Gmail account, then infected a computer on the target’s network with malware. After gaining control of the target machine, the hacker opened their anonymous Gmail account on the victim’s computer in an invisible instance of Internet Explore.
On the same way hackers controls the victim computers and run commands on it, and it also collect the data from the victim computers.
Moreover to prevent it being spotted by intrusion detection or data-leak prevention hackers uses a reputable web service instead of the usual IRC or HTTP protocols, and all the communication is encrypted.
The malware/infection used by the hackers was actual a new variants of the RAT (Remote Access Trojan) called Icoscript, which was discovered German Security researchers at G Data in August. German researcher says that Icoscript was used for the Yahoo mail to obscure its command and control had helped to keep it from being discovered. And changing the email service provider is not a difficult way.
However, it is believed that the use of IcoScript is limited to targeted attacks. Security experts from both G Data and Shape Security agree that blocking an attack of this type is quite difficult and solving the issue falls in the hands of the email service.
The issue has been notified to Google team and in the response Google says that they are monitoring malicious and programmatic usage of the Gmail and as they identify the abusive accounts it will removed immediately.