Researchers have discovered a classic remote administration tool dubbed IcoScript that utilises Yahoo mail account controlled by attackers to receive instructions or commands instead of direct communication channels which are susceptible to detection and blockade at gateway level.
The discovery was made by Paul Rascagneres, a security researcher over at G Data, who claims that the RAT may have gone undetected since 2012.
“This sample is a classic remote administration tool (RAT) but it has a particular way of communicating with its control server. It is very modular and it abuses popular web platforms (like Yahoo and Gmail) for command and control communication” notes Rascagneres in his report on Virus Bulletin.
Through a detailed analysis of the RAT, Rascagneres explains that the malware author has used Microsoft’s Component Object Model (COM) to control Internet Explorer to make HTTP requests to remote services.
Further, the malware author(s) also created a scripting language, encrypted it and concealed it within an additional file to be used as a configuration file. The researcher had to create a python script to decode the .ico configuration file and what was revealed after that was interesting.
Rascagneres notes that the scripting language used by the malware author(s) is kind of a step-by-step action with each step defined as a combination of variable and a value that tells the browser of the actions to perform.
“The technique used by this remote administration tool is clever, because it is modular, easy to adapt and the flow of traffic is overlooked among the large number of legitimate web requests”, the researcher concludes.
Rascagneres also added that the attackers are well aware of how incident response team works and based on that “they can adapt their communication to make detection and containment both complicated and expensive.”
