Shady RAT Hid Behind Chinese Hacker Tool - InformationWeek
IoT
IoT
Government // Cybersecurity
News
8/4/2011
09:13 AM
50%
50%
RELATED EVENTS
Faster, More Effective Response With Threat Intelligence & Orchestration Playboo
Aug 31, 2017
Finding ways to increase speed, accuracy, and efficiency when responding to threats should be the ...Read More>>

Shady RAT Hid Behind Chinese Hacker Tool

Advanced persistent threat research efforts detail ongoing 'Operation Shady RAT' cyberespionage attacks.

Black Hat
The advanced persistent threat (APT) attackers behind the newly revealed Operation Shady RAT also deployed a tool called HTran that helps disguise their location.

Joe Stewart, director of malware research for Dell SecureWorks' counter threat unit research team, who has been studying some 60 different families of malware used by APT attackers in their cyberespionage attacks, recently discovered a pattern in which many of these attackers use this tool, written 10 years ago by a Chinese hacker, to hide their whereabouts. Stewart, who published research on HTran use today in APT malware, said the Operation Shady RAT attackers are among those who use the tool for camouflaging purposes.

McAfee Wednesday unmasked an APT-type attack campaign that has been ongoing worldwide for five years that has stolen intellectual property from 70 government agencies, international corporations, nonprofits, and others in 14 countries. McAfee McAfee gathered data (PDF) on the attacks after accessing one C&C server, collecting logs that date back to 2006.

It also turns out that a recently discovered targeted attack against Defense contractors studied by researchers at Invincea and ThreatGrid that used a phishing email with a link to a rigged spreadsheet containing a real list of high-level defense industry executives who attended a recent Intelligence Advanced Research Projects Activity (IARPA) event was also part of Operation Shady RAT.

The embedded URL, which used a legitimate-looking domain, provided a ZIP archive to the attendee roster, complete with names of directors, presidents, and CEOs at major defense and intelligence companies. The XLS-looking file is actually an executable that extracts another custom program that's an HTTP client that beacons out to the command and control server, according to Anup Ghosh, founder and CEO of Invincea.

The executable file was a remote C&C Trojan hosted on a website that gives the attackers full control of the victim's machine and Internet settings in the registry, and is able to update the root certificate lists that could be used for SSL man-in-the-middle attacks.

Meanwhile, SecureWorks' Stewart first found the HTran connection in APT malware when studying traffic patterns of the malware. "I found one error message return from a controller ... telling me 'I'm not the controller, here's where it is.' Why would you have a nice error message that says here's the destination of the actual C&C on a silver platter?" he said.

Read the rest of this article on Dark Reading.

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll