Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

The Truth Behind the Shady RAT

Created: 04 Aug 2011 18:20:12 GMT • Updated: 23 Jan 2014 18:19:40 GMT • Translations available: 日本語
Hon Lau's picture
+11 11 Votes
Login to vote

McAfee published an interesting report yesterday about what they called Operation Shady RAT, focusing on a series of what some may call “advanced persistent threat” attacks. The attacks were dubbed in some quarters as “one of the largest series of cyber attacks ever.” While quite a bit of data was presented regarding the potential scale of these attacks, details on the threats and how the attacks were staged were somewhat limited.

Based on the information we managed to glean from the report and our own intelligence sources, we have identified the initial attack vectors, the threats used and how the attack was staged. In addition to all this, we have also uncovered what appears to be the same information source about the victims of the attacks that was used by McAfee as the basis of their report. This information is freely available on the attackers’ command and control site, which is a strange oversight considering this type of attack is often described as “advanced” or “sophisticated.”

Without further ado, let’s dig deeper into these attacks and see how they work from end-to-end. The attack mainly comprises of three stages, which are detailed below.

STAGE 1:
Target organizations are selected and then emails are created and sent to individuals within those organizations. The emails follow the typical targeted attack modus operandi—that is they contain some subject or topic that may be of interest to the recipient, such as rosters, contact lists, budgets, and so forth. The attached file contains the details promised in the email text, as part of a social engineering ploy. In our investigations we’ve uncovered many such emails covering a whole gamut of topics. These emails contain various attachments, typically Microsoft Office files such as Word documents, Excel spreadsheets, PowerPoint presentations, and PDF documents. These files are loaded with exploit code, so that when the user opens the file the exploit code is executed, resulting in the computer becoming compromised.

Example Attachment Names:

  • Participant_Contacts.xls
  • 2011 project budget.xls
  • Contact List -Update.xls
  • The budget justification.xls

In the Excel files, we have seen the old, but clearly still effective Microsoft Excel 'FEATHEADER' Record Remote Code Execution Vulnerability (detected by Bloodhound.Exploit.306) being exploited. Once the file is opened on an unpatched computer, a clean copy of an Excel file is dropped and opened so that the user is not suspicious. A Trojan is also dropped and executed. One possible tell-tale sign of this exploit is that Excel appears to hang for a short time before it resumes, and the application may even crash and restart.

STAGE 2:
Once the Trojan is installed, it will attempt to contact a remote site that is hardcoded into the Trojan itself. Some recently used examples include:

  • www.comto[REMOVED].com/wak/mansher0.gif
  • www.kay[REMOVED].net/images/btn_topsec.jpg
  • www.swim[REMOVED[.net/images/sleepyboo.jpg
  • www.comto[REMOVED].com/Tech/Lesson15.htm

The first thing you will notice is that the URLs are pointing at image and HTML files. At first glance, they don’t seem all that suspicious. This is an interesting ploy used by the attackers to hide the commands. Many firewalls are configured to allow image and HTML files to pass through HTTP traffic. Without close inspection, based on the context provided by the Trojan sample, these images and HTML files look totally legitimate.

Here are some examples of the images used to hide commands found on the command and control server.

Upon closer inspection of the file and the Trojan code, we can see that there are commands hidden in the image using steganography. These commands are totally invisible to the human eye, since the bits representing the commands are mathematically built into the data representing the image. 

In the versions of the Trojans that are downloading HTML files, the commands are hidden in HTML comments that look like gibberish, but are actually encrypted commands that are further converted into base-64 encoding.

While these commands are clearly visible to a user if they view the HTML code in a text editor, they look completely harmless, and indeed are harmless unless the file is parsed by the Trojan on a compromised computer. The commands may be one of the following:

run: {URL/FILENAME}
Downloads an executable to the %Temp% folder and then executes the new program.

sleep:{NUMBER}
Sleeps for a specified amount of time, in minutes.

{IP ADDRESS}:{PORT NUMBER}
Causes the Trojan to connect to a remote IP on the specified port. This command is really useful from the attacker’s point of view, since it opens a direct connection to the specified IP address through the specified port number.

Once the Trojan has opened the remote connection, after receiving the {IP ADDRESS}:{PORT} command, we are set for the next stage of the attack.

STAGE 3:
When the Trojan connects to a remote computer using the {IP ADDRESS}:{PORT} command, it establishes a remote shell with the computer. This enables the attacker at the remote site to directly issue shell commands to be run on the compromised computer. Of course all of this activity is invisible to the end user, since the shell is hidden and is a low-tech and lightweight way of accessing the computer.

When the Trojan connects to the remote IP on the specified port number, it waits to receive an "active" command. Once received, the back door sends the following string, which is a form of a handshake between the Trojan and the controller:

"/*\n
@***@*@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@@@@@@@@@@@@@@@@@@@@@@@@>>>>\*\n\r"

The Trojan then copies the file %System%\cmd.exe (a DOS shell) to %Temp%\svchost.exe and then uses the copied file to open a remote shell on the compromised computer.

Next, the Trojan periodically checks with the remote server for one of the following commands:

gf:{FILENAME} — Retrieves a file from the remote server.
pf:{FILENAME}  — Uploads a file to the remote server.
http:{URL}.exe  — Retrieves a file from a remote URL, beginning with http and ending in .exe. The remote file is downloaded and executed.
taxi: {COMMAND} — Sends a command from the remote server.
slp:{RESULT}  — Sends the results of the command executed above to the remote server to report the status.

This small collection of commands is enough for an attacker to stage a comprehensive breach into the affected organization. Any functions not available to the attacker in the Trojan itself can be easily downloaded onto the compromised computer and executed at will. Collected data is then simply uploaded back to the remote attacker using the pf command.

Victims of the attacks
As McAfee indicated, a significant number of organizations worldwide were affected by this particular series of attacks. Remember what was said earlier about victim information being freely available? Well it turned out that the attackers not only failed to secure their server properly, they had also installed various Web traffic analysis tools on it too, which is of course useful to the attackers to see how they are doing, but makes our lives easier too when investigating such attacks. For example, on one of the sites we were able to see the statistics about computers contacting the command and control server to download command files. Based on this information, we were also able to determine the organizations affected by this threat.

As already discussed in public domain, the victims ranged from government agencies to private companies. What‘s still unclear is the type of information the attackers were targeting. Due to the variety of organizations and individuals impacted, there is no clear motive. There has been some discussion of this being a government-sponsored attack. However, the finger can’t be pointed at any particular government. Not only are the victims located in various places around the globe, so too are the servers involved in these attacks.

Conclusions
While this attack is indeed significant, it is one of many similar attacks taking place daily. Even as we speak, there are other malware groups targeting many other organizations in a similar manner in order to gain entry and pilfer secrets. While there is a need for information, there will always be those ready to supply it. We may not always know the true motivations and identities of those behind these attacks, but we can work to exploit mistakes they make in order to get a better view of what they are doing and bring us one step closer to tracking them down.

Going back to my earlier question, is the attack described in Operation Shady RAT a truly advanced persistent threat? I would contend that it isn’t, especially when you consider the errors made in configuring the servers and the relatively non-sophisticated malware and techniques used in this case. Sure the people behind it are persistent but no more so than the myriad of other malware groups out there such as Zeus, Tidserv, and others like them.

Protection and mitigation
The following steps can help to protect against this and similar attacks:

Ensure antivirus is up-to-date and active
Symantec has detected many of the older versions of these threats as Backdoor.Trojan, Downloader, and Trojan Horse, but more recent samples (as of May 2011) have been grouped into the Trojan.Downbot family. Symantec reputation-based detection technologies are also able to proactively protect against many of the files used in these attacks.

Turn on IPS
In addition to standard antivirus detections, Symantec also has a number of IPS signatures that can help to prevent such attacks. Some are geared towards prevention of remote exploitation, back channel communications, and file downloads.

Use email filtering
Email filter services such as BrightMail or MessageLabs can help to filter out potential attacks before they can even begin.

Patch operating system and software
Many of these attacks often start with a file containing exploit code. In many cases the exploits are for vulnerabilities that are already patched. It is therefore wise to ensure that all software is up-to-date with security patches.

User awareness
In many cases the users can often be the weakest link. This is the reason why social engineering is a method of attack that is always used. Education and awareness programs will help to reduce but not remove the risk of attacks.

Thanks to Cathal Mullaney for his help analyzing Shady RAT.

Blog Entry Filed Under: