Hackers use DRAFT emails as dead-drops for running malware

Sneaky hackers are using Gmail and Yahoo! drafts to control compromised devices, with the tactic designed to make detection of malware-related communications more difficult to pick up in enterprise environments.

Attacks occur in two phases. Hackers first infect a targeted machine via simple malware that installs Python onto the device, enabling simple attack scripts to run.

Using Gmail (or Yahoo! Mail), hackers then use draft emails to run command and control prompts on these compromised systems, allowing them to siphon data from infected devices.

The new attack methods have already been used in the wild against a variety of large-scale targets, according to security researchers at Shape Security, who say the malware at the centre of the attack is a variant of the Icoscript remote access trojan first discovered by the German security software firm G-Data back in August.

"Since command and control traffic is one of the most important indications of a breach, this vulnerability is especially dangerous because the hacker uses drafts to ensure no mail ever crosses the firewall," Shape Security warns.

"Nothing stands out as a red flag and it’s difficult to detect because no footprints are left behind," said the company.

Google draft messages were used by former CIA director General David Petraeus to exchange comments with his lover Paula Broadwell, a not particular effective tradecraft trick that was previously used by terrorists. Now the same draft webmail communications tactic has entered the toolbox of malware slingers. ®