Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Digging Deeper into Operation Shady RAT

Operation Shady RAT: Peeling Through the Layers

New details have emerged about a stealthy attack campaign that security pros say struck more than 70 organizations around the world.

Operation Shady RAT: Peeling Through the Layers

New details have emerged about a stealthy attack campaign that security pros say struck more than 70 organizations around the world.

Dubbed Operation Shady RAT by security firm McAfee, the attack’s victims ran the gamut from U.S. government agencies to a Taiwanese electronics company. Following McAfee’s lead, researchers at Symantec peeled back a few extra layers from the attack and revealed more information about how phishing emails spiked with malicious attachments allowed the hackers to steal data for five years.

Inside the attackers’ malicious Excel files, Symantec observed the old – but still effective – Microsoft Excel ‘FEATHEADER’ Record Remote Code Execution Vulnerability (detected by Bloodhound.Exploit.306) being exploited, explained Symantec researcher Hon Lau.

“Once the file is opened on an unpatched computer, a clean copy of an Excel file is dropped and opened so that the user is not suspicious,” Lau blogged. “A Trojan is also dropped and executed. One possible tell-tale sign of this exploit is that Excel appears to hang for a short time before it resumes, and the application may even crash and restart.”

Once the Trojan is installed, it will attempt to contact a remote site that is hardcoded into the Trojan itself, the researcher continued.

“The first thing you will notice is that the URLs are pointing at image and HTML files,” Lau blogged. “At first glance, they don’t seem all that suspicious. This is an interesting ploy used by the attackers to hide the commands. Many firewalls are configured to allow image and HTML files to pass through HTTP traffic. Without close inspection, based on the context provided by the Trojan sample, these images and HTML files look totally legitimate.”

“Upon closer inspection of the file and the Trojan code, we can see that there are commands hidden in the image using steganography,” Lau wrote. “These commands are totally invisible to the human eye, since the bits representing the commands are mathematically built into the data representing the image. In the versions of the Trojans that are downloading HTML files, the commands are hidden in HTML comments that look like gibberish, but are actually encrypted commands that are further converted into base-64 encoding.”

When the Trojan connects to a remote computer, it establishes a remote shell with the computer and enables the attacker to directly issue shell commands to be run on the compromised computer, Lau added.

But does Shady RAT constitute an advanced persistent threat? It may depend on who’s doing the talking.

“While this attack is indeed significant, it is one of many similar attacks taking place daily,” Lau blogged. “Even as we speak, there are other malware groups targeting many other organizations in a similar manner in order to gain entry and pilfer secrets…I would contend that it isn’t (an advanced persistent threat), especially when you consider the errors made in configuring the servers and the relatively non-sophisticated malware and techniques used in this case. Sure the people behind it are persistent but no more so than the myriad of other malware groups out there such as Zeus, Tidserv, and others like them.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Cyberwarfare

Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.