Using Gmail Drafts to… Command and Control your Computer?

For those who (over) think before they email, the Drafts folder can be both blessing and a curse. Anyone who has ever accidentally sent an unfinished draft to a coworker, new contact, or friend will probably even go one further: unfinished drafts that reveal what you’re thinking before the thought is polished and ready to be sent can be embarrassing and unprofessional. Thanks to the unending nefariousness of malware writers, the email drafts folder can now also be considered dangerous.

Researchers have uncovered a variant of the Icoscript RAT that uses Gmail draft folders to issue commands to and collect data from infected computers. Many types of malware do this latter part – that is, connect to a “command and control” server,  to provide updates and steal information – but the use of draft emails to make this happen adds a new layer of stealth to the process.

According to reports, attackers are able to pull this off because they can use the remote access trojan to open an invisible instance of Internet Explorer on the infected computer. Windows is built to allow programs to do this, to perform behind the scenes information gathering. With Icoscript, attackers are leveraging this capability to log into an anonymous Gmail account and issue C&C commands through an unsent draft. Conversely, the malware is also designed to place stolen data in drafts for cybercriminals to collect. In effect, attackers have created a malware communication channel, with a trusted program, where nothing is ever actually sent. This makes the malware much harder to detect than programs that perform C&C communication through other protocols, on many of which strange activity will be detected by anti-malware.

Those who have discovered this clever little draft trick – that’s also sometimes used by people who have affairs to exchange messages on a shared email –  stress that “there’s no easy way to detect its surreptitious data theft without blocking Gmail altogether.” For end users, this means that protection hinges on prevention. Icoscript may be good at hiding itself, but it still has to work its way onto your machine. If you’re using an anti-malware that processes roughly 225,000 new malware samples every single day, and you’re well-versed in all the ways cybercriminals use to trick people into installing their creations, it is very unlikely that this will occur.

You will still need to be careful about spilling your heart out in an email draft, though ;)

Have a nice (malware-free) day!

For more information on Icoscript’s use of Gmail Drafts, see this article from Wired.
For a technical analysis, see Icoscript: using webmail to control malware by Paul Rascagnères.