Digging Deeper into Operation Shady RAT

Operation Shady RAT: Peeling Through the Layers

New details have emerged about a stealthy attack campaign that security pros say struck more than 70 organizations around the world.

Dubbed Operation Shady RAT by security firm McAfee, the attack’s victims ran the gamut from U.S. government agencies to a Taiwanese electronics company. Following McAfee’s lead, researchers at Symantec peeled back a few extra layers from the attack and revealed more information about how phishing emails spiked with malicious attachments allowed the hackers to steal data for five years.

Inside the attackers’ malicious Excel files, Symantec observed the old – but still effective – Microsoft Excel ‘FEATHEADER’ Record Remote Code Execution Vulnerability (detected by Bloodhound.Exploit.306) being exploited, explained Symantec researcher Hon Lau.

“Once the file is opened on an unpatched computer, a clean copy of an Excel file is dropped and opened so that the user is not suspicious,” Lau blogged. “A Trojan is also dropped and executed. One possible tell-tale sign of this exploit is that Excel appears to hang for a short time before it resumes, and the application may even crash and restart.”

Once the Trojan is installed, it will attempt to contact a remote site that is hardcoded into the Trojan itself, the researcher continued.

“The first thing you will notice is that the URLs are pointing at image and HTML files,” Lau blogged. “At first glance, they don’t seem all that suspicious. This is an interesting ploy used by the attackers to hide the commands. Many firewalls are configured to allow image and HTML files to pass through HTTP traffic. Without close inspection, based on the context provided by the Trojan sample, these images and HTML files look totally legitimate.”

“Upon closer inspection of the file and the Trojan code, we can see that there are commands hidden in the image using steganography,” Lau wrote. “These commands are totally invisible to the human eye, since the bits representing the commands are mathematically built into the data representing the image. In the versions of the Trojans that are downloading HTML files, the commands are hidden in HTML comments that look like gibberish, but are actually encrypted commands that are further converted into base-64 encoding.”

When the Trojan connects to a remote computer, it establishes a remote shell with the computer and enables the attacker to directly issue shell commands to be run on the compromised computer, Lau added.

But does Shady RAT constitute an advanced persistent threat? It may depend on who’s doing the talking.

“While this attack is indeed significant, it is one of many similar attacks taking place daily,” Lau blogged. “Even as we speak, there are other malware groups targeting many other organizations in a similar manner in order to gain entry and pilfer secrets…I would contend that it isn’t (an advanced persistent threat), especially when you consider the errors made in configuring the servers and the relatively non-sophisticated malware and techniques used in this case. Sure the people behind it are persistent but no more so than the myriad of other malware groups out there such as Zeus, Tidserv, and others like them.”