network that uses that new, furtive form of “command and control”—the communications channel that connects hackers to their malicious software - allowing them to send the programs updates and instructions and retrieve stolen data.
“What we’re seeing here is command and control that’s using a fully allowed service, and that makes it superstealthy and very hard to identify,” says Wade Williamson, a security researcher at Shape.
After gaining control of the target machine, the hacker opened their anonymous Gmail account on the victim’s computer in an invisible instance of Internet Explorer—IE allows itself to be run by Windows programs so that they can seamlessly query web pages for information, so the user has no idea a web page is even open on the computer.
Thanks in part to that stealth, Shape doesn’t have any sense of just how many computers might be infected with the Icoscript variant they found. But given its data-stealing intent, they believe it’s likely a closely targeted attack rather than a widespread infection.
actively track malicious and programmatic usage of Gmail and we quickly remove abusive accounts we
problematic new path for malware to adapt and update itself. “It makes the malware that much more dynamic,” says Williamson. “It’s the lifeblood of this attack.”