The Shady RAT cyberattack

At the beginning of last August, McAfee released on its blog a report regarding a massive cyberattack targeting governmental and private organisations, named "Shady RAT". This attack would have lasted several years (5 or 6 years) and would have impacted some 72 organisations worldwide. According to McAfee, Shady RAT would be an APT attack (Avanced Persistent Threat) as important as those that broke the news in the last few months (Aurora, Stuxnet, Night Dragon, etc…).

The Cert-IST decided to give you a look at this attack to clarify its exact nature.

Shady RAT mechanism

In a first time, Shady RAT selects a list of target organisations and sends e-mails to individuals within these organisations. It follows here the usual tactic: a malicious attachment to an e-mail (Office or PDF documents), that once opened, downloads and executes the malicious code (Trojan), allowing to compromise the victim’s system.

In a second time, the Trojan tries to contact a remote site (hardcoded in its code) and then secretly talks with it by sending back and forth hidden messages embedded into regular images or HTML pages. For example, the messages are hidden using steganography techniques in image files (they are invisible to the victim viewing these pictures), or stored in encrypted form into the comments of an HTML web page.

The third and last stage enables the Trojan to open a remote shell on the victim’s system, thus allowing the attacker to execute arbitrary shell commands on this system. The data gathered by the attacker are then sent to the attacker remote server.

Discussions around Shady RAT

According to several sources (mainly Kaspersky and Symantec), the McAfee report would have been a bit too excessive and Shady RAT would not be as sophisticated as McAfee depicted it. Shady RAT would actually use pretty rudimentary mechanisms, that even have severe loopholes. Furthermore, the malware on which relies Shady RAT are, according to Kaspersky, easily detectable by antivirus solutions.

For McAfee, the important thing is not to know if the tool is more or less sophisticated. For the editor, what is worth remaining on Shady RAT, is that it was able to steal data from a large number of organisations, that it lasted several years, whatever its technical level was.

Although McAfee does not mention it in its report, some sources indicate that the HTran (HUC Transmit Packet) tool has been found on some of the computers infected by Shady RAT. HTran is a proxy (also called "bouncer" or "port forwarder") that allows to redirect the TCP traffic received by a machine to another machine and to conceal the true origin of this traffic. HTran was developed a decade ago by a group of Chinese hackers. The Chinese origin of HTran is one of several clues that suggest to some that Shady RAT would have been created by Chinese.

Shady RAT Predecessors/successors

Recently, many cyberattacks targeted big companies:

Aurora (January 2010): Chinese cyberattack using a flaw in Internet Explorer to conduct attacks towards Google principally, but also other organisations.

Stuxnet (June 2010): Sophisticated cyberattack that targeted SCADA industrial systems. Stuxnet propagated via USB keys and used multiple 0-day vulnerabilities in Windows.

Night Dragon (February 2011): Chinese cyberattack that targeted various companies in the energy and oil industries. It would have used various attack vectors (social engineering, phishing, exploitation of Windows flaws or compromising of Active Directories).

RSA (March 2011): Cyberattack that stole information related to the "SecurID" authentication solution. It relies on an Excel file embedding a malicious Flash content that uses a 0-day vulnerability to infect users’ systems. This attack uses HTran, as well as the Remote Administration Tool named Poison Ivy.

Nitro (October 2011): Cyberattack targeting big names of the chemical industry. It sends malicious e-mails in order to install Poison Ivy on the victims’ systems.

Recommendations and conclusions

As announced in this bulletin Headlines, fight against cyber-infiltration attacks is far from being an easy task and there is no ready to use solution for it. To mitigate that threat it is necessary to set up a set of measures to stop, or at least slow down, the hackers in their espionage activities.

The following recommendations are worth mentioning:

• keep systems up to date (security patches, antivirus solutions)
• use intrusion prevention systems
• develop user awareness
• set up e-mail filtering mechanisms
• monitor and analyse any abnormality

As a conclusion, we will remain that Shady RAT caused first a media hype when McAfee released its report, and later a polemic among the various editors regarding its sophistication level. It is nevertheless on the list of the APT attacks that we witnessed since almost two years now and for which any organisation dealing with sensitive data must be prepared.

For more information:

Mac Afee White Paper "Revealed: Operation Shady RAT": http://www.mcafee.com/us/resources/white-papers/wp-operation-shady-rat.pdf
Symantec blog, dated August 4, 2011: http://www.symantec.com/connect/fr/blogs/truth-behind-shady-rat?API1=100&API2=4165004
Clubic article, dated August 19, 2011: http://www.clubic.com/antivirus-securite-informatique/virus-hacker-piratage/piratage-informatique/actualite-441418-eugene-kaspersky-juge-rapport-shady-rat-mcafee-infonde.html
The Inquirer article "Security Industry is divided over Shady RAT" dated August 18, 2011: http://www.theinquirer.net/inquirer/news/2102780/security-industry-divided-shady-rat