Hackers Are using Gmail drafts as command and control to steal data

A technique that General David Petraeus used  to communicate with his lover Paula Broadwell (with whom he was having an illicit affair.), is now become a data-stealing technique for hackers.

Now hackers have learned the same trick. Only instead of a mistress, they’re sharing their love letters with data-stealing malware buried deep on a victim’s computer.

Back in August, Germany’s anti-malware solutions provider G Data Software identified stealthy malware that had gone undetected since 2012.

They dubbed the remote administration tool (RAT) Win32.Trojan.IcoScript.A and remarked that it was particularly nasty due to the way it abused webmail for its command and control (C&C) communications. Although IcoScript was using Yahoo email, G Data predicted that it could just as easily abuse Facebook, LinkedIn or Gmail. And now a variant of that malware is using Gmail drafts that open in invisible Internet Explorer windows and act as the command and control to steal data.

As written on wired .com :

Williamson (a security researcher at Shape) says the new infection is in fact a variant of a remote access trojan (RAT) called Icoscript first found by the German security firm G-Data in August. At the time, G-Data said that Icoscript had been infecting machines since 2012, and that its use of Yahoo Mail emails to obscure its command and control had helped to keep it from being discovered. The switch to Gmail drafts, says Williamson, could make the malware stealthier still.

Thanks in part to that stealth, Shape doesn’t have any sense of just how many computers might be infected with the Icoscript variant they found. But given its data-stealing intent, they believe it’s likely a closely targeted attack rather than a widespread infection.

For victims of the malware, Shape says there’s no easy way to detect its surreptitious data theft without blocking Gmail altogether. The responsibility may instead fall on Google to make its webmail less friendly to automated malware. A Google spokesperson responded to an email from WIRED with only a statement that “our systems actively track malicious and programmatic usage of Gmail and we quickly remove abusive accounts we identify.”

G Data concluded in its write up: 

The malware abused Microsoft Windows Component Object Model (COM) technology to control Internet Explorer. IE would open in an invisible, or hidden, window and connect to specific websites, enter credentials to access an email account, execute files, check or uncheck checkboxes, press buttons on a webpage, fill in form data on a site, export data and more.

The following were listed as advantages for malware developers to exploit COM, which can control IE, and manipulate the browser that is being used by a legitimate user:

  • The HTTP communication is performed by the user’s iexplore.exe process (not by the malware itself).
  • If the targeted infrastructure uses a proxy (with authentication), the malware can reuse the proxy token stored in the user session. The malware developers don’t have to worry about the proxy configuration on the infected machine.
  • Analysis by reverse engineering is more complicated – there’s no obvious evidence of malicious network behavior or socket usage, etc.
  • The user does not usually notice the additional communication being carried out by the browser – the session is hidden.

3 thoughts on “Hackers Are using Gmail drafts as command and control to steal data”

  1. I like the suggestion which is listed above for doing tricks.
    but I need to explain here stealing a draft from particular mail account is somehow not possible (in reasonable amount of time) because currently the gmail security doesn’t allow to do so.
    as i tried alot.
    but instead of stealing data from draft.
    I release my core secret: a attacker can easily passed a malware (script) by which whenever a victim gets an email and if it was opened. script starts it execution without user knowing. so with the help of my script i can gain access to legitimate emails easily.

    (Note: this is for information purpose only not for hacking purpose)

    Reply
    • Hemraj : This is no secret. The strategy that you’ve pointed out here was used ages ago in a virus named ‘I Love You’ which ran a script whenever an attachment from an Outlook email was opened. This and it did a couple of other things too. But now email softwares have taken ample precautions to disable scripts from running by default.

      Reply
      • Karthi “K”, i used it now too, and in regarding to some what virus u mentioned. it is just a virus, but my powershell script is masterpiece to me.
        which work finitely for me.

        Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.