Researchers have discovered a piece of malware which uses a novel form of “command and control” which enables hackers to update the malicious software and retrieve the data that it steals. The commands are tucked away in the Gmail drafts folder, in messages that are never sent, which makes them very hard to detect.
“What we’re seeing here is command and control that’s using a fully allowed service, and that makes it superstealthy and very hard to identify,” says Wade Williamson, a researcher at Shape Security. “It’s stealthily passing messages back and forth without even having to press send. You never see the bullet fired.”
Lee Ainslie's Maverick Capital had a difficult third quarter, although many hedge funds did. The quarter ended with the S&P 500's worst month since the beginning of the COVID pandemic. Q3 2021 hedge fund letters, conferences and more Maverick fund returns Maverick USA was down 11.6% for the third quarter, bringing its year-to-date return to Read More
The methodology to infect Gmail
First of all the hacker set up an anonymous Gmail account, before infecting a machine on the target’s network with the malware. The malicious software allowed the hacker to gain control of the machine, and they then opened the Gmail account in an invisible instance of Internet Explorer. Windows programs are able to run the web browser without the user even knowing that a webpage is open.
The hacker was able to open the Gmail drafts folder, with the user still completely unaware. The malware then used a Python script to retrieve instructions from the draft field, which the hacker was able to remotely update. The malware was able to respond to the hacker through the same draft field, passing acknowledgements of instructions and sensitive data back to the hacker.
In order to hide itself from anti-virus software, all of the information communicated between the hacker and the malware is encrypted.
A widespread problem?
Shape has since admitted that it has no idea how many computers may be infected with the virus, which it says is a variant of a remote access trojan (RAT) called Icoscript that was first discovered in August.
The German security firm G-Data, which discovered the virus, claims that Icoscript has been around since 2012, and started out by using Yahoo Mail emails. There are concerns that switching to Gmail has made it even harder to detect, and the onus now falls on Google to better protect its users from automated malware.