G Data suspects the malware is being used in highly targeted attacks to steal data and passwords, with the only known incidences so far being reported in the US and Norway.
In a 5 August paper published on Virus Bulletin, G Data's Paul Rascagneres says IcoScript (Win32.Trojan.IcoScript.A) is a ‘classic' remote access Trojan, but its modular structure enables it to use a range of webmail services to cloak its communications back to its command server.
IcoScript works by using Microsoft Windows COM (component object model) technology to infiltrate the user's web browser, then sets up its own email accounts masquerading as genuine ones, making it difficult for the corporate incident response team to detect.
G Data found it using Yahoo Mail but said that, as it is browser based, it could easily switch to misusing Gmail or even social media platforms like Facebook and LinkedIn.
Ralf Benzmüller, head of G Data SecurityLabs, told SCMagazineUK.com: “It creates its own email account and receives its own emails so there is nothing the user could detect.
“In a targeted attack, the security team must have a close look at the email traffic, and this is usually not done. So the message is - put email on the list of things to monitor for indicators of compromise.
“The potential is, because it is inside the browser, it is quite easy to switch to other control mechanisms that are not email based. It is really giving incident response teams a hard time.”
Benzmüller added: “It's quite sophisticated and usually that kind of malware is found in specific targeted attacks. It provides complete access to the system and you can do whatever you want – steal files, data, passwords, run commands.”
IcoScript has remained undiscovered for over two years, G Data says.
In his blog, Rascagneres points out that its “approach demonstrates both that attackers know how incident response teams work, and that they can adapt their communication to make detection and containment both complicated and expensive.”
He said: “We can envisage future techniques that will make the lives of incident response teams harder.”
Analysing the Trojan, industry expert Scott MacKenzie, CISO with cyber security solutions provider Logical Step, agreed that it is innovative and elusive.
He told SCMagazineUK.com via email: “Anti-malware companies will develop signatures to detect this variant of IcoScript Malware - however, its modular nature means it can easily be adapted to evade signature detection.
“IcoScript is innovative in appending a scripting language to the .ico file parsed by browsers when displaying a unique icon for a website. This scriptable ability facilitates the alteration of the malware's function.
“The technique used by IcoScript could easily use any public email or social media provider. If an organisation's corporate security policy allows access to public email and social media sites, IcoScript is harder to block.”
In terms of defending against the Trojan, MacKenzie suggests: “A possible containment method may be for corporate security to block .ico files, while still allowing access to public email and social media sites. This approach would maintain the functionality of the website, such as Gmail, that the user is accessing.”
In an email to SC, Check Point UK MD, Keith Bird, advised: “RATs are a growing issue for IT teams, and using webmail to conceal a RAT is a clever trick that makes detection more difficult.
“It means that organisations need to consider standardising the web applications they allow users and user groups to access, and monitoring the use of these approved applications while blocking access to unauthorised ones. This type of enforcement will reduce the possible vectors for exploits.