How 'Shady RAT' espionage attacks spread

The multiyear ‘Shady RAT’ campaign of cyberattacks on government and corporate organizations hooked victims with phishing e-mails and used the rare tactic of embedding malware in photos and other images, according to the security company Symantec.

In a post on company’s official blog, Symantec researcher Hon Lau broke down the steps used in the attacks, including the use of steganography to hide commands in images.

“These commands are totally invisible to the human eye, since the bits representing the commands are mathematically built into the data representing the image,” according to the blog. The code in the images connects with the attacker’s command and control server.

Related coverage:

‘Shady RAT’ report unveils massive cyber espionage campaign

The series of attacks was described in an Aug. 2 report by the security company McAfee, which dubbed the attacks “Operation Shady RAT” (the acronym stands for remote access tool). The attacks, which compromised 72 organizations, 49 of them in the United States, could be traced to a single command and control server, McAfee said.

McAfee’s report did not speculate on the source of the attacks, but several security experts have pointed to China.

Hon said Symantec used information from the report and “our own intelligence sources” to identify the attack vectors and how the attacks work. The attackers used targeted, spear-phishing e-mails containing attachments, usually in Microsoft Office programs, including Word, Excel and PowerPoint, or PDFs.

When opened, the attachment downloaded a Trojan that connected to a remote site hosting the images that contained commands disguised by steganography. Malware in the images could give the attackers access through which to steal files.

Steganography comes from a Greek term meaning “covered writing” and has been used, in one way or another, to send secret messages for centuries. In recent years, it has been used in some espionage circle to encrypt messages into digital images

Hon wrote that Symantec had also found the single source of the attacks, which he said was surprisingly available on the command and control server.

McAfee said Shady RAT has stolen several petabytes of data since the attacks began. The first listed in McAfee’s report is from July 2006, although it’s likely they were going on before then, the report states.

Victims of the attacks include six federal agencies, five state governments, three U.S. county governments and government-run sites in Canada, South Korea, Taiwan, Vietnam and India, along with the United Nations.
In the private sector, the attacks compromised 13 defense contractors, and businesses in construction/heavy industry, electronics, steel, energy, IT, the news media, real estate and accounting. Several think tanks or nonprofits also were targeted.

About the Author

Kevin McCaney is a former editor of Defense Systems and GCN.


  • 2020 Government Innovation Awards
    Government Innovation Awards -

    21 Public Sector Innovation award winners

    These projects at the federal, state and local levels show just how transformative government IT can be.

  • Federal 100 Awards
    cheering federal workers

    Nominations for the 2021 Fed 100 are now being accepted

    The deadline for submissions is Dec. 31.

Stay Connected