G-Data Uncovers Malware Sample so far Undetected Since 2012

G-Data has just detected one malware strain which was thus far undetected from 2012. Dubbed as Win32.Trojan.IcoScript.A, the malicious program represents an early RAT (remote administration tool); however, there's one special method for it to interact with its command-and-control (C&C) system. The malware, which's highly modular, exploits Gmail and Yahoo, well-known web platforms while communicating with its C&C.

It utilizes Microsoft Windows' Component Object Model mechanism for manipulating Internet Explorer while carrying out HTTP queries destined for distant software and service. The malware has scripting language of its own with which it performs tasks.

IcoScript is unique in that it establishes linkage with an account on Yahoo Mail that the malware's creators control, for taking directions that are kept within differently-constructed electronic mails inside the inbox. For corporate environments, there's hardly ever blockage in accessing Web-mails, with the traffic not really regarded as dubious.

Besides, the malware's form of being modular enables attackers towards moving onto yet another Web-mail facility, say Gmail, without difficulty, alternatively even for utilizing LinkedIn/Facebook also popular services for regulating the malware, given blockage of communication is low-risked.

Paul Rascangeneres, Researcher with G-Data explains that incident response groups normally control the IcoScript type of malware through the blockage of URL that is hosted on any proxy server. But, with IcoScript, in particular, URLs aren't so easy to block, as their origin is from trustworthy services' servers. IcoScript's efficiency can enhance once attackers employ differentiated means for their C&C while creating the malware's multiple samples for utilization of unspecified counts of social-networking websites, lawful Web-mail services as well as cloud storage facilities, Rascangeneres claims. Threatpost.com published this, August 4, 2014.

The researcher continues that only when there's real-time network flow that incident response groups' control of the malware should be performed, a mechanism that's more difficult to realize as well as to keep. The implication is that attackers are aware of the groups' style of working as also that they may so make their communication that it becomes both costly and complex for detecting as well as controlling the malware, he concludes. Securityweek.com published this, August 4, 2014.

» SPAMfighter News - 8/11/2014