Hackers Are Using Gmail Drafts to Update Their Malware and Steal Data

It is not the new  thing that cyber hackers continues using new and a advance technique to to get their victim. Mainly they targets users online accounts like email accounts and others.. Hence same things have came forward by security researcher.

Researcher from Shape Security, a company that offers a network hardware solution for protecting websites against cyber-attacks, found a new strain of the malware on the systems of one of its clients. They found a furtive form of “command and control”—the communications channel that connects hackers to their malicious software—allowing them to send the programs updates and instructions and retrieve stolen data. All the commands that hackers is using is hidden in the Gmail draft (conversation or mail that never sent), that makes it difficult to detect.

About the Process
Researcher explains the process who hackers have used this technique to infect users computer and take control over it. The hacker first set up an anonymous Gmail account, then infected a computer on the target’s network with malware. After gaining control of the target machine, the hacker opened their anonymous Gmail account on the victim’s computer in an invisible instance of Internet Explore.
Shape Security observed, the malware launches a hidden Gmail IE session after infecting the computer. Logging into the service is done automatically through a Python script, which also intermediates the communication with the attacker through a draft message.
On the same way hackers controls the victim computers and run commands on it, and it also collect the data from the victim computers.

Moreover to prevent it being spotted by intrusion detection or data-leak prevention hackers uses a reputable web service instead of the usual IRC or HTTP protocols, and all the communication is encrypted.

The malware/infection used by the hackers was actual a new variants of the RAT (Remote Access Trojan) called Icoscript, which was discovered German Security researchers at G Data in August. German researcher says that Icoscript was used for the Yahoo mail to obscure its command and control had helped to keep it from being discovered. And changing the email service provider is not a difficult way.

However, it is believed that the use of IcoScript is limited to targeted attacks. Security experts from both G Data and Shape Security agree that blocking an attack of this type is quite difficult and solving the issue falls in the hands of the email service.