Building on top of McAfee's report on a global hacking operation nicknamed Shady Rat, Symantec's investigation, written by Hon Lau on the security company's blog, explains how organizations were initially targeted, using emails with attachments that contained exploit code. The attachments seemed typically harmless, being Word, Excel, PowerPoint and PDF documents; however, when opened on unpatched systems, it dropped a trojan at the same time as displaying the expected document.
The trojan itself downloaded images and HTML pages from remote sites, which seemed innocent enough, but according to Lau, actually contained hidden or encrypted instructions that allowed it to contact the command and control server and let attackers know it has compromised its target.
While this level of infiltration might seem highly sophisticated, McAfee noted in its report that "this is not a new attack". Lau stated that "while this attack is indeed significant, it is one of many similar attacks taking place daily". In fact, Lau has raised the question of whether the hackers were really all that sophisticated to begin with.
"The attackers not only failed to secure their server properly, they had also installed various web traffic analysis tools on it too," he wrote. "For example, on one of the sites, we were able to see the statistics about computers contacting the command and control server to download command files."
For more on this story, read Shady RAT not so sophisticated: Symantec on ZDNet Australia.