How 'Shady RAT' espionage attacks spread
- By Kevin McCaney
- Aug 12, 2011
The multiyear ‘Shady RAT’ campaign of cyberattacks on government and corporate organizations hooked victims with phishing e-mails and used the rare tactic of embedding malware in photos and other images, according to the security company Symantec.
In a post on company’s official blog, Symantec researcher Hon Lau broke down the steps used in the attacks, including the use of steganography to hide commands in images.
“These commands are totally invisible to the human eye, since the bits representing the commands are mathematically built into the data representing the image,” according to the blog. The code in the images connects with the attacker’s command and control server.
‘Shady RAT’ report unveils massive cyber espionage campaign
The series of attacks was described in an Aug. 2 report by the security company McAfee, which dubbed the attacks “Operation Shady RAT” (the acronym stands for remote access tool). The attacks, which compromised 72 organizations, 49 of them in the United States, could be traced to a single command and control server, McAfee said.
McAfee’s report did not speculate on the source of the attacks, but several security experts have pointed to China.
Hon said Symantec used information from the report and “our own intelligence sources” to identify the attack vectors and how the attacks work. The attackers used targeted, spear-phishing e-mails containing attachments, usually in Microsoft Office programs, including Word, Excel and PowerPoint, or PDFs.
When opened, the attachment downloaded a Trojan that connected to a remote site hosting the images that contained commands disguised by steganography. Malware in the images could give the attackers access through which to steal files.
Steganography comes from a Greek term meaning “covered writing” and has been used, in one way or another, to send secret messages for centuries. In recent years, it has been used in some espionage circle to encrypt messages into digital images.
Hon wrote that Symantec had also found the single source of the attacks, which he said was surprisingly available on the command and control server.
McAfee said Shady RAT has stolen several petabytes of data since the attacks began. The first listed in McAfee’s report is from July 2006, although it’s likely they were going on before then, the report states.
Victims of the attacks include six federal agencies, five state governments, three U.S. county governments and government-run sites in Canada, South Korea, Taiwan, Vietnam and India, along with the United Nations.
In the private sector, the attacks compromised 13 defense contractors, and businesses in construction/heavy industry, electronics, steel, energy, IT, the news media, real estate and accounting. Several think tanks or nonprofits also were targeted.
Kevin McCaney is a former editor of Defense Systems and GCN.