Government // Cybersecurity
News
8/4/2011
09:13 AM
Connect Directly
RSS
E-Mail
50%
50%

Shady RAT Hid Behind Chinese Hacker Tool

Advanced persistent threat research efforts detail ongoing 'Operation Shady RAT' cyberespionage attacks.

Black Hat
The advanced persistent threat (APT) attackers behind the newly revealed Operation Shady RAT also deployed a tool called HTran that helps disguise their location.

Joe Stewart, director of malware research for Dell SecureWorks' counter threat unit research team, who has been studying some 60 different families of malware used by APT attackers in their cyberespionage attacks, recently discovered a pattern in which many of these attackers use this tool, written 10 years ago by a Chinese hacker, to hide their whereabouts. Stewart, who published research on HTran use today in APT malware, said the Operation Shady RAT attackers are among those who use the tool for camouflaging purposes.

McAfee Wednesday unmasked an APT-type attack campaign that has been ongoing worldwide for five years that has stolen intellectual property from 70 government agencies, international corporations, nonprofits, and others in 14 countries. McAfee McAfee gathered data (PDF) on the attacks after accessing one C&C server, collecting logs that date back to 2006.

It also turns out that a recently discovered targeted attack against Defense contractors studied by researchers at Invincea and ThreatGrid that used a phishing email with a link to a rigged spreadsheet containing a real list of high-level defense industry executives who attended a recent Intelligence Advanced Research Projects Activity (IARPA) event was also part of Operation Shady RAT.

The embedded URL, which used a legitimate-looking domain, provided a ZIP archive to the attendee roster, complete with names of directors, presidents, and CEOs at major defense and intelligence companies. The XLS-looking file is actually an executable that extracts another custom program that's an HTTP client that beacons out to the command and control server, according to Anup Ghosh, founder and CEO of Invincea.

The executable file was a remote C&C Trojan hosted on a website that gives the attackers full control of the victim's machine and Internet settings in the registry, and is able to update the root certificate lists that could be used for SSL man-in-the-middle attacks.

Meanwhile, SecureWorks' Stewart first found the HTran connection in APT malware when studying traffic patterns of the malware. "I found one error message return from a controller ... telling me 'I'm not the controller, here's where it is.' Why would you have a nice error message that says here's the destination of the actual C&C on a silver platter?" he said.

Read the rest of this article on Dark Reading.

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - September 10, 2014
A high-scale relational database? NoSQL database? Hadoop? Event-processing technology? When it comes to big data, one size doesn't fit all. Here's how to decide.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A look at the top stories from InformationWeek.com for the week of September 7, 2014.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.