Hackers Are using Gmail drafts as command and control to steal data

A technique that General David Petraeus used  to communicate with his lover Paula Broadwell (with whom he was having an illicit affair.), is now become a data-stealing technique for hackers.

Now hackers have learned the same trick. Only instead of a mistress, they’re sharing their love letters with data-stealing malware buried deep on a victim’s computer.

Back in August, Germany’s anti-malware solutions provider G Data Software identified stealthy malware that had gone undetected since 2012.

They dubbed the remote administration tool (RAT) Win32.Trojan.IcoScript.A and remarked that it was particularly nasty due to the way it abused webmail for its command and control (C&C) communications. Although IcoScript was using Yahoo email, G Data predicted that it could just as easily abuse Facebook, LinkedIn or Gmail. And now a variant of that malware is using Gmail drafts that open in invisible Internet Explorer windows and act as the command and control to steal data.

As written on wired .com :

Williamson (a security researcher at Shape) says the new infection is in fact a variant of a remote access trojan (RAT) called Icoscript first found by the German security firm G-Data in August. At the time, G-Data said that Icoscript had been infecting machines since 2012, and that its use of Yahoo Mail emails to obscure its command and control had helped to keep it from being discovered. The switch to Gmail drafts, says Williamson, could make the malware stealthier still.

Thanks in part to that stealth, Shape doesn’t have any sense of just how many computers might be infected with the Icoscript variant they found. But given its data-stealing intent, they believe it’s likely a closely targeted attack rather than a widespread infection.

For victims of the malware, Shape says there’s no easy way to detect its surreptitious data theft without blocking Gmail altogether. The responsibility may instead fall on Google to make its webmail less friendly to automated malware. A Google spokesperson responded to an email from WIRED with only a statement that “our systems actively track malicious and programmatic usage of Gmail and we quickly remove abusive accounts we identify.”

G Data concluded in its write up: 

The malware abused Microsoft Windows Component Object Model (COM) technology to control Internet Explorer. IE would open in an invisible, or hidden, window and connect to specific websites, enter credentials to access an email account, execute files, check or uncheck checkboxes, press buttons on a webpage, fill in form data on a site, export data and more.

The following were listed as advantages for malware developers to exploit COM, which can control IE, and manipulate the browser that is being used by a legitimate user:

  • The HTTP communication is performed by the user’s iexplore.exe process (not by the malware itself).
  • If the targeted infrastructure uses a proxy (with authentication), the malware can reuse the proxy token stored in the user session. The malware developers don’t have to worry about the proxy configuration on the infected machine.
  • Analysis by reverse engineering is more complicated – there’s no obvious evidence of malicious network behavior or socket usage, etc.
  • The user does not usually notice the additional communication being carried out by the browser – the session is hidden.