Back in August, Germany’s anti-malware solutions provider G Data Software identified stealthy malware that had gone undetected since 2012. They dubbed the remote administration tool (RAT) Win32.Trojan.IcoScript.A and remarked that it was particularly nasty due to the way it abused webmail for its command and control (C&C) communications. Although IcoScript was using Yahoo email, G Data predicted that it could just as easily abuse Facebook, LinkedIn or Gmail. And now a variant of that malware is using Gmail drafts that open in invisible Internet Explorer windows and act as the command and control to steal data.
A computer must first be infected, but since many companies don’t blacklist access to webmail services, once a computer is infected in a targeted attack, the malware uses its own scripting language to automatically connect to an email account. Attackers could even "use hundreds of different email accounts with names that are very similar to those of real users," making it "very difficult to distinguish fake accounts from real ones."
Before we jump to the newest malware using Gmail drafts, let’s look at what G Data concluded in its write up on Virus Bulletin. The malware abused Microsoft Windows Component Object Model (COM) technology to control Internet Explorer. IE would open in an invisible, or hidden, window and connect to specific websites, enter credentials to access an email account, execute files, check or uncheck checkboxes, press buttons on a webpage, fill in form data on a site, export data and more.
The following were listed as advantages for malware developers to exploit COM, which can control IE, and manipulate the browser that is being used by a legitimate user:
- The HTTP communication is performed by the user’s iexplore.exe process (not by the malware itself).
- If the targeted infrastructure uses a proxy (with authentication), the malware can reuse the proxy token stored in the user session. The malware developers don’t have to worry about the proxy configuration on the infected machine.
- Analysis by reverse engineering is more complicated – there’s no obvious evidence of malicious network behavior or socket usage, etc.
- The user does not usually notice the additional communication being carried out by the browser – the session is hidden.
"The technique used by this remote administration tool is clever, because it is modular, easy to adapt and the flow of traffic is overlooked among the large number of legitimate web requests," G Data said. Intrusion Detection Systems (IDS) don’t cut it because they fall short on detecting IcoScript strings. G Data added:
For incident response teams, containment is usually restricted to blocking the URL on the proxy. In this case, the URL cannot easily be blocked and a lot of legitimate requests must not be blocked. Furthermore, the attacker can configure each sample to use multiple legitimate websites such as social networks, webmail sites, cloud services and so on. The containment must be performed on the network flow in real time. This approach is harder to realize and to maintain. It demonstrates both that attackers know how incident response teams work, and that they can adapt their communication to make detection and containment both complicated and expensive.
Malware morphs to use Gmail drafts
So now a different security firm has identified a different strain of malware that uses Gmail drafts for hidden C&C communications. “What we’re seeing here is command and control that’s using a fully allowed service, and that makes it superstealthy and very hard to identify,” Shape Security researcher Wade Williamson told Wired. “It’s stealthily passing messages back and forth without even having to press send. You never see the bullet fired.” In fact, he suggested that there is “no easy way to detect its surreptitious data theft without blocking Gmail altogether.” From the Wired article:
Here’s how the attack worked in the case Shape observed: The hacker first set up an anonymous Gmail account, then infected a computer on the target’s network with malware. (Shape declined to name the victim of the attack.) After gaining control of the target machine, the hacker opened their anonymous Gmail account on the victim’s computer in an invisible instance of Internet Explorer—IE allows itself to be run by Windows programs so that they can seamlessly query web pages for information, so the user has no idea a web page is even open on the computer.
With the Gmail drafts folder open and hidden, the malware is programmed to use a Python script to retrieve commands and code that the hacker enters into that draft field. The malware responds with its own acknowledgments in Gmail draft form, along with the target data it’s programmed to exfiltrate from the victim’s network. All the communication is encoded to prevent it being spotted by intrusion detection or data-leak prevention.
It was suggested that Google should take responsibility and “make its webmail less friendly to automated malware” communication or else “Gmail will offer a problematic new path for malware to adapt and update itself.” Williamson added that until Google’s automated malware communication is cut off, “it’s the lifeblood of this attack.”
Before the malware morphed, however, and based on G Data’s analysis, it could work “just as well for numerous web portals such as Gmail, Outlook.com, etc. Even LinkedIn, Facebook and other social networks could be misused in this way.”