G Data suspects the malware is being used in highly targeted attacks to steal data and passwords, with the only known incidences so far being reported in the US and Norway.
In a 5 August paper published on Virus Bulletin, G Data's Paul Rascagneres says IcoScript (Win32.Trojan.IcoScript.A) is a ‘classic' remote access Trojan, but its modular structure enables it to use a range of webmail services to cloak its communications back to its command server.
IcoScript works by using Microsoft Windows COM (component object model) technology to infiltrate the user's web browser, then sets up its own email accounts masquerading as genuine ones, making it difficult for the corporate incident response team to detect.
G Data found it using Yahoo Mail but said that, as it is browser based, it could easily switch to misusing Gmail or even social media platforms like Facebook and LinkedIn.
Ralf Benzmüller, head of G Data SecurityLabs, told SCMagazineUK.com: “It creates its own email account and receives its own emails so there is nothing the user could detect.
“In a targeted attack, the security team must have a close look at the email traffic, and this is usually not done. So the message is - put email on the list of things to monitor for indicators of compromise.
“The potential is, because it is inside the browser, it is quite easy to switch to other control mechanisms that are not email based. It is really giving incident response teams a hard time.”
Benzmüller added: “It's quite sophisticated and usually that kind of malware is found in specific targeted attacks. It provides complete access to the system and you can do whatever you want – steal files, data, passwords, run commands.”
IcoScript has remained undiscovered for over two years, G Data says.