IoT
Government // Cybersecurity
News
8/4/2011
09:13 AM
50%
50%
RELATED EVENTS
The Analytics Job and Salary Outlook for 2016
Jan 28, 2016
With data science and big data top-of-mind for all types of organizations, hiring analytics profes ...Read More>>Building an IT Security Awareness Program That Really Works
Feb 03, 2016
Most enterprises do some form of IT security awareness training for their end users but not all of ...Read More>>See How Analytics Drive Change in the Retail World
Jan 07, 2016
On Thursday, January 7, at 2 pm EST, Brian Kilcourse of Retail Systems Research joins All Analytic ...Read More>>

Shady RAT Hid Behind Chinese Hacker Tool

Advanced persistent threat research efforts detail ongoing 'Operation Shady RAT' cyberespionage attacks.

Black Hat
The advanced persistent threat (APT) attackers behind the newly revealed Operation Shady RAT also deployed a tool called HTran that helps disguise their location.

Joe Stewart, director of malware research for Dell SecureWorks' counter threat unit research team, who has been studying some 60 different families of malware used by APT attackers in their cyberespionage attacks, recently discovered a pattern in which many of these attackers use this tool, written 10 years ago by a Chinese hacker, to hide their whereabouts. Stewart, who published research on HTran use today in APT malware, said the Operation Shady RAT attackers are among those who use the tool for camouflaging purposes.

McAfee Wednesday unmasked an APT-type attack campaign that has been ongoing worldwide for five years that has stolen intellectual property from 70 government agencies, international corporations, nonprofits, and others in 14 countries. McAfee McAfee gathered data (PDF) on the attacks after accessing one C&C server, collecting logs that date back to 2006.

It also turns out that a recently discovered targeted attack against Defense contractors studied by researchers at Invincea and ThreatGrid that used a phishing email with a link to a rigged spreadsheet containing a real list of high-level defense industry executives who attended a recent Intelligence Advanced Research Projects Activity (IARPA) event was also part of Operation Shady RAT.

The embedded URL, which used a legitimate-looking domain, provided a ZIP archive to the attendee roster, complete with names of directors, presidents, and CEOs at major defense and intelligence companies. The XLS-looking file is actually an executable that extracts another custom program that's an HTTP client that beacons out to the command and control server, according to Anup Ghosh, founder and CEO of Invincea.

The executable file was a remote C&C Trojan hosted on a website that gives the attackers full control of the victim's machine and Internet settings in the registry, and is able to update the root certificate lists that could be used for SSL man-in-the-middle attacks.

Meanwhile, SecureWorks' Stewart first found the HTran connection in APT malware when studying traffic patterns of the malware. "I found one error message return from a controller ... telling me 'I'm not the controller, here's where it is.' Why would you have a nice error message that says here's the destination of the actual C&C on a silver platter?" he said.

Read the rest of this article on Dark Reading.

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
How to Knock Down Barriers to Effective Risk Management
Risk management today is a hodgepodge of systems, siloed approaches, and poor data collection practices. That isn't how it should be.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.