Symantec digs into Shady RAT attack emails

Security company Symantec has analysed the attack vectors and methods of the cyberattacks that targeted governments and organisations around the world

A long-running series of cyberattacks against 72 organisations has been dissected by security company Symantec.

The cyberattacks, which were publicised as Operation Shady RAT by McAfee on Wednesday, typically used targeted emails with Microsoft Office attachments, Symantec researcher Hon Lau said in a blog post on Friday.

"Based on the information we managed to glean from the report and our own intelligence sources, we have identified the initial attack vectors, the threats used and how the attack was staged," said Hon.

Attack emails, which were specifically tailored for certain individuals, contained attachments "loaded with malware", said Hon. The emails had subjects that would be interesting to the individuals, such as rosters, budgets and contact lists.

Symantec gleaned Shady RAT attack emails from its intelligence network as late as August, indicating the attack is ongoing, Orla Cox, senior security operations manager of Symantec Security Response, told ZDNet UK on Friday.

"The people behind [the attacks] are still active," said Cox. "I don't think it'll stop any time soon."

Trojan download

The most recent emails were sent out with Excel attachments, and contained the Microsoft Excel 'featheader' record remote code execution vulnerability discovered in 2009. When the file was opened on an unpatched computer, it displayed a clean Excel spreadsheet while executing a Trojan downloader.

Once the Trojan was installed, it connected to remote sites hardcoded into the Trojan. The sites hosted image files that contained commands hidden using a cryptographic technique called steganography. As the images appeared innocuous, they could pass through intermediate security systems such as firewalls and deep-packet inspection without triggering an alarm or being blocked.

The individual components of the attack are not so complex, but to put them together and execute them shows some level of planning.

– Orla Cox, Symantec

The commands could download an executable program, put the computer offline from the command and control server, or cause the Trojan to connect to a remote IP address on a specific port.

When the Trojan connected to a remote computer, the hacker could then establish a remote shell to directly control the infected computer from a distance. With this access, the hackers could steal files, and use the computer as a jumping-off point to infect other computers on the network.

"The individual components of the attack are not so complex, but to put them together and execute them shows some level of planning," said Cox.

A number of organisations, including GCHQ, have warned organisations to patch their computers in the wake of the attacks, which affected organisations such as the UN and various government agencies around the world. Canada has said it will streamline its services following the attacks.

A number of reports linked the attacks to China. The official Chinese Communist Party publication People's Daily responded on Friday, labelling the claims that China was involved "irresponsible".

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.


You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All