How 'Shady RAT' espionage attacks spread

The multiyear ‘Shady RAT’ campaign of cyberattacks on government and corporate organizations hooked victims with phishing e-mails and used the rare tactic of embedding malware in photos and other images, according to the security company Symantec.

In a post on company’s official blog, Symantec researcher Hon Lau broke down the steps used in the attacks, including the use of steganography to hide commands in images.

“These commands are totally invisible to the human eye, since the bits representing the commands are mathematically built into the data representing the image,” according to the blog. The code in the images connects with the attacker’s command and control server.

Related coverage:

‘Shady RAT’ report unveils massive cyber espionage campaign

The series of attacks was described in an Aug. 2 report by the security company McAfee, which dubbed the attacks “Operation Shady RAT” (the acronym stands for remote access tool). The attacks, which compromised 72 organizations, 49 of them in the United States, could be traced to a single command and control server, McAfee said.

McAfee’s report did not speculate on the source of the attacks, but several security experts have pointed to China.

Hon said Symantec used information from the report and “our own intelligence sources” to identify the attack vectors and how the attacks work. The attackers used targeted, spear-phishing e-mails containing attachments, usually in Microsoft Office programs, including Word, Excel and PowerPoint, or PDFs.

When opened, the attachment downloaded a Trojan that connected to a remote site hosting the images that contained commands disguised by steganography. Malware in the images could give the attackers access through which to steal files.

Steganography comes from a Greek term meaning “covered writing” and has been used, in one way or another, to send secret messages for centuries. In recent years, it has been used in some espionage circle to encrypt messages into digital images

Hon wrote that Symantec had also found the single source of the attacks, which he said was surprisingly available on the command and control server.

McAfee said Shady RAT has stolen several petabytes of data since the attacks began. The first listed in McAfee’s report is from July 2006, although it’s likely they were going on before then, the report states.

Victims of the attacks include six federal agencies, five state governments, three U.S. county governments and government-run sites in Canada, South Korea, Taiwan, Vietnam and India, along with the United Nations.
In the private sector, the attacks compromised 13 defense contractors, and businesses in construction/heavy industry, electronics, steel, energy, IT, the news media, real estate and accounting. Several think tanks or nonprofits also were targeted.

About the Author

Kevin McCaney is a former editor of Defense Systems and GCN.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected