Once you've successfully infected your victim's computer with malware, you want to be able to send it orders — so you spawn an invisible Internet Explorer window, login to an anonymous Gmail account, and check in the Drafts folder for secret orders.
It's the same technique that General David Petraeus used to communicate with Paula Broadwell, with whom he was having an illicit affair. Shape Security says they've found a strain of malware that uses the tactic for command-and-control messaging with hacked machines.
Williamson says the new infection is in fact a variant of a remote access trojan (RAT) called Icoscript first found by the German security firm G-Data in August. At the time, G-Data said that Icoscript had been infecting machines since 2012, and that its use of Yahoo Mail emails to obscure its command and control had helped to keep it from being discovered. The switch to Gmail drafts, says Williamson, could make the malware stealthier still.
Thanks in part to that stealth, Shape doesn't have any sense of just how many computers might be infected with the Icoscript variant they found. But given its data-stealing intent, they believe it's likely a closely targeted attack rather than a widespread infection.
For victims of the malware, Shape says there's no easy way to detect its surreptitious data theft without blocking Gmail altogether. The responsibility may instead fall on Google to make its webmail less friendly to automated malware. A Google spokesperson responded to an email from WIRED with only a statement that "our systems actively track malicious and programmatic usage of Gmail and we quickly remove abusive accounts we identify."
Hackers Are Using Gmail Drafts to Update Their Malware and Steal Data [Andy Greenberg/Wired]
