Connect with us

Hi, what are you looking for?



Digging Deeper into Operation Shady RAT

Operation Shady RAT: Peeling Through the Layers

New details have emerged about a stealthy attack campaign that security pros say struck more than 70 organizations around the world.

Operation Shady RAT: Peeling Through the Layers

New details have emerged about a stealthy attack campaign that security pros say struck more than 70 organizations around the world.

Dubbed Operation Shady RAT by security firm McAfee, the attack’s victims ran the gamut from U.S. government agencies to a Taiwanese electronics company. Following McAfee’s lead, researchers at Symantec peeled back a few extra layers from the attack and revealed more information about how phishing emails spiked with malicious attachments allowed the hackers to steal data for five years.

Inside the attackers’ malicious Excel files, Symantec observed the old – but still effective – Microsoft Excel ‘FEATHEADER’ Record Remote Code Execution Vulnerability (detected by Bloodhound.Exploit.306) being exploited, explained Symantec researcher Hon Lau.

“Once the file is opened on an unpatched computer, a clean copy of an Excel file is dropped and opened so that the user is not suspicious,” Lau blogged. “A Trojan is also dropped and executed. One possible tell-tale sign of this exploit is that Excel appears to hang for a short time before it resumes, and the application may even crash and restart.”

Once the Trojan is installed, it will attempt to contact a remote site that is hardcoded into the Trojan itself, the researcher continued.

“The first thing you will notice is that the URLs are pointing at image and HTML files,” Lau blogged. “At first glance, they don’t seem all that suspicious. This is an interesting ploy used by the attackers to hide the commands. Many firewalls are configured to allow image and HTML files to pass through HTTP traffic. Without close inspection, based on the context provided by the Trojan sample, these images and HTML files look totally legitimate.”

Advertisement. Scroll to continue reading.

“Upon closer inspection of the file and the Trojan code, we can see that there are commands hidden in the image using steganography,” Lau wrote. “These commands are totally invisible to the human eye, since the bits representing the commands are mathematically built into the data representing the image. In the versions of the Trojans that are downloading HTML files, the commands are hidden in HTML comments that look like gibberish, but are actually encrypted commands that are further converted into base-64 encoding.”

When the Trojan connects to a remote computer, it establishes a remote shell with the computer and enables the attacker to directly issue shell commands to be run on the compromised computer, Lau added.

But does Shady RAT constitute an advanced persistent threat? It may depend on who’s doing the talking.

“While this attack is indeed significant, it is one of many similar attacks taking place daily,” Lau blogged. “Even as we speak, there are other malware groups targeting many other organizations in a similar manner in order to gain entry and pilfer secrets…I would contend that it isn’t (an advanced persistent threat), especially when you consider the errors made in configuring the servers and the relatively non-sophisticated malware and techniques used in this case. Sure the people behind it are persistent but no more so than the myriad of other malware groups out there such as Zeus, Tidserv, and others like them.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Fastly announced that Scott Lovett will join the company as Chief Revenue Officer, effective June 3, 2024.

Digital transformation consulting firm Synechron has hired Aaron Momin as CISO.

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

More People On The Move

Expert Insights