1 November 2014

Hackers Are Using Gmail Drafts To Update Their Malware And Steal Data

October 29, 2014 


Andy Greenberg, writing on the October 29, 2014 website Wired.com, begins by noting that “in his career-ending extramarital affair that came to light in 2012, General David Petraeus used a stealthy technique to communicate with his lover Paula Broadwell: the pair left messages for each other in the drafts folder of a shared Gmail account. Now hackers have learned this same trick,” Mr. Greenberg warns. “Only instead of a mistress, they’re sharing their lovers letters with data-sharing malware buried deep on a victim’s computer.”

“Researchers at the [cyber] security startup, Shape Security, say they’ve found a strain of malware on a client’s network that uses the new, furtive form of “command and control” — the communications channel that connects hackers to their malicious software — allowing them to send updates and instructions, and receive stolen data. Because the commands are hidden,” Mr. Greenberg writes, “in unassuming Gmail drafts that are never even sent, the hidden communications channel is particularly difficult to detect.”

“What we’re seeing here is command and control that is using a fully allowed service, and that makes it super-stealthy and very hard to identify,” said Wade Williamson, a [cyber] security researcher at Shape. “It’s stealthily passing messages back and forth without even having to press send. You never see the bullet fired.”

“Here’s how the attack worked in the case Shape observed,” Mr. Greenberg notes: “The hacker first set up an anonymous Gmail account, then infected a computer on the target’s [victim's] network with malware. (Shape declined to name the victim of the attack). After gaining control of the target machine, the hacker opened their anonymous Gmail account — on the victim’s computer…in an invisible instance of Internet Explorer — IE allows itself to be run by Windows programs so that they can seamlessly query web pages for information, so [and] the user has no idea a web page is even open on the [their] computer.”

And, the digital version of cat-and-mouse continues. V/R, RCP

“With the Gmail drafts folder open and hidden, the malware is programmed to use a Python script to retrieve commands and code that the hacker enters into that draft field. The malware responds with its own acknowledgements in Gmail draft form, along with the target data it’s programmed to exfiltrate from the victim’s network. All the communication is encoded to prevent it from being spotted by intrusion detection, or data-leak prevention. The use of a reputable web service instead of the usual IRC or HTTP protocols the hackers typically use to command their malware…also helps keep the hack hidden.”

“Williamson says the new infection is in fact a variant of a remote access Trojan (RAT) called Icoscript, first found by the German [cyber] security firm G-Data in August. At the time, G-data said that Icoscript had been infecting machines since 2012, and that its use of Yahoo Mail emails to obscure its command and control had helped to keep it from being discovered. The switch to Gmail drafts, said Williamson, could make the malware stealthier still,” Mr. Greenberg wrote.

“Thanks in part to that stealth, Shape doesn’t have any sense of just how many computers might be infected with the Icoscript, Shape doesn’t have any sense of just how many computers might be infected with the Icoscript variant they found. But, given its data-stealing intent, they believe it’s likely a closely targeted attack rather than a widespread infection.”

“For victims of the malware, Shape says there’s no easy way to detect it surreptitious data theft without blocking Gmail altogether. The responsibility may instead, fall on Google to make its webmail less friendly to automated malware. A Google spokesperson responded to an email from Wired with only a statement that “our systems actively track malicious and programmatic usage of Gmail; and, we quickly remove abusive accounts we identify.”

“Until the automated malware communication is cut off however,” Williamson says Gmail will offer a problematic new path for malware to adapt and update itself. “It makes the malware that much more dynamic,” Williamson said. “It’s the lifeblood of this attack.”

And, the online/digital version of cat-and-mouse, or good guys vs. bad guys, continues. V/R, RCP

Share this:

No comments: