Gmail Drafts used to update RAT and send victims data to the hackers

Researchers at the security startup Shape Security have discovered that Gmail Drafts are being used by hackers to contact their Command and Control servers, update the Remote Access Trojan (RAT) and steal victims vital and confidential information. In a report on Wired, Shape Security say they have found a strain of malware on a client’s network that uses that new, furtive form of “command and control”—the communications channel that connects hackers to their malicious software—allowing them to send the programs updates and instructions and retrieve stolen data. Shape Security researchers said that users/victims barely opened their drafts lying around in Gmail and this made the hackers job pretty easy.  The RAT commands are hidden in unassuming Gmail drafts that are never even sent, the hidden communications channel is particularly difficult to detect.

“What we’re seeing here is command and control that’s using a fully allowed service, and that makes it superstealthy and very hard to identify,” says Wade Williamson, a security researcher at Shape. “It’s stealthily passing messages back and forth without even having to press send. You never see the bullet fired.”

Modus Operandi

Shape Security said that this was how this new kind of malware work.  The cyber criminal / hacker first set up an anonymous Gmail account.  He then proceeded to infect the victims computer with the malware.  Once the malware was injected into the victims computer, all he had to do is open the original anonymous Gmail account as as invisible instance of Internet Explorer.

Readers may not that Microsoft Windows lets Internet Explorer run by itself.  This is allowed by the Windows programs so that they can seamlessly query web pages for information.  But in this case the cyber criminal rakes in benefit of the Gmail on IE running in background and the hapless victim has no idea a web page is even open on the computer.



Random Access Tool (RAT)

Shape Security said they had identified the malware as a new variant of the IcoScript RAT first found by the German security research firm G-Data in August 2014. At the time, G-Data said that IcoScript had been infecting machines since 2012, and that it was using Yahoo Mail emails to obscure its command and control had helped to keep it from being discovered.

The new variant of IcosSript has switched  to Gmail drafts and this made the malware much more powerful and stealthier.  With the Gmail drafts folder open and hidden, the malware is programmed to use a Python script to retrieve commands and code that the hacker enters into that draft field. The malware responds with its own acknowledgments in Gmail draft form, along with the target data it’s programmed to exfiltrate from the victim’s network. All the communication is encoded to prevent it being spotted by intrusion detection or data-leak prevention. The use of a reputable web service instead of the usual IRC or HTTP protocols that hackers typically use to command their malware also helps keep the hack hidden.

Shape found out about the latest variant IcosSript, when one of their clients was infected with the same.  They however noted that it would be difficult to presume or estimate as to how many PCs around the world may be infected by this new variant of IcosSript RAT due to its futuristic stealth capacities.  However they ruled out a full fledged infection across the world considering that the RAT is a information stealing malware and such type of RATs work in a closely targeted method.

Rescue method

Shape said that given the stealth capacities of this new variant of IcoScript, there’s no easy way to detect its surreptitious data theft other than blocking Gmail altogether. Shape also said that Google may take responsibility to root out this new RAT from their emailing system and make Gmail safer.

Google spokesperson responded to an email from WIRED with only a statement that “our systems actively track malicious and programmatic usage of Gmail and we quickly remove abusive accounts we identify.”