Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Digging Deeper into Operation Shady RAT

Operation Shady RAT: Peeling Through the Layers

New details have emerged about a stealthy attack campaign that security pros say struck more than 70 organizations around the world.

Operation Shady RAT: Peeling Through the Layers

New details have emerged about a stealthy attack campaign that security pros say struck more than 70 organizations around the world.

Dubbed Operation Shady RAT by security firm McAfee, the attack’s victims ran the gamut from U.S. government agencies to a Taiwanese electronics company. Following McAfee’s lead, researchers at Symantec peeled back a few extra layers from the attack and revealed more information about how phishing emails spiked with malicious attachments allowed the hackers to steal data for five years.

Inside the attackers’ malicious Excel files, Symantec observed the old – but still effective – Microsoft Excel ‘FEATHEADER’ Record Remote Code Execution Vulnerability (detected by Bloodhound.Exploit.306) being exploited, explained Symantec researcher Hon Lau.

“Once the file is opened on an unpatched computer, a clean copy of an Excel file is dropped and opened so that the user is not suspicious,” Lau blogged. “A Trojan is also dropped and executed. One possible tell-tale sign of this exploit is that Excel appears to hang for a short time before it resumes, and the application may even crash and restart.”

Once the Trojan is installed, it will attempt to contact a remote site that is hardcoded into the Trojan itself, the researcher continued.

“The first thing you will notice is that the URLs are pointing at image and HTML files,” Lau blogged. “At first glance, they don’t seem all that suspicious. This is an interesting ploy used by the attackers to hide the commands. Many firewalls are configured to allow image and HTML files to pass through HTTP traffic. Without close inspection, based on the context provided by the Trojan sample, these images and HTML files look totally legitimate.”

Advertisement. Scroll to continue reading.

“Upon closer inspection of the file and the Trojan code, we can see that there are commands hidden in the image using steganography,” Lau wrote. “These commands are totally invisible to the human eye, since the bits representing the commands are mathematically built into the data representing the image. In the versions of the Trojans that are downloading HTML files, the commands are hidden in HTML comments that look like gibberish, but are actually encrypted commands that are further converted into base-64 encoding.”

When the Trojan connects to a remote computer, it establishes a remote shell with the computer and enables the attacker to directly issue shell commands to be run on the compromised computer, Lau added.

But does Shady RAT constitute an advanced persistent threat? It may depend on who’s doing the talking.

“While this attack is indeed significant, it is one of many similar attacks taking place daily,” Lau blogged. “Even as we speak, there are other malware groups targeting many other organizations in a similar manner in order to gain entry and pilfer secrets…I would contend that it isn’t (an advanced persistent threat), especially when you consider the errors made in configuring the servers and the relatively non-sophisticated malware and techniques used in this case. Sure the people behind it are persistent but no more so than the myriad of other malware groups out there such as Zeus, Tidserv, and others like them.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how the LOtL threat landscape has evolved, why traditional endpoint hardening methods fall short, and how adaptive, user-aware approaches can reduce risk.

Watch Now

Join the summit to explore critical threats to public cloud infrastructure, APIs, and identity systems through discussions, case studies, and insights into emerging technologies like AI and LLMs.

Register

People on the Move

Kenna Security co-founder Ed Bellis has joined Empirical Security as Chief Executive Officer.

Robert Shaker II has joined application security firm ActiveState as Chief Product and Technology Officer.

MorganFranklin Cyber has promoted Nick Stallone and Ferdinand Hamada into newly created roles.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.