Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:56 PM

Shady RAT No China Smoking Gun

Kudos to McAfee for discovering attacks that go undiscovered too often, but questions about attack severity, sophistication, or nation-state backing remain.

Is Shady RAT one of the "the biggest series of cyberattacks in history," as some media outlets have claimed?

McAfee's revelation of the long-running attacks, which have operated on the sly since at least 2006 and compromised more than 70 organizations, was timed to coincide with the publication last week of a related expose in Vanity Fair, as well as the start of the annual Black Hat security conference. McAfee's security researchers have been investigating the attacks-which they dubbed Shady RAT for their use of stealthy remote access tools-for some time.

While the tools used in such attacks can steal information, such attacks apparently exist in relatively low volumes, at least compared with the flood of spam, phishing attacks, and generic malware businesses see daily. But that low volume also makes RAT-style attacks difficult to detect when they do get launched.

If this low volume and persistence sound familiar, that's because it recalls the modus operandi for an advanced persistent threat. Of course, APT is a fuzzy concept. As McAfee's own report on Shady RAT notes, "this term lately lost much of its original meaning due to overzealous marketing tactics of various security companies, as well as to the desire by many victims to call anything they discover being successful at compromising their organizations as having been an APT." (Reference: RSA SecurID breach.) Generally, however, security experts define an APT as a threat involving attackers who can launch multiple exploits, advancing the underlying functionality along the way, to steal non-financial information of value, often operating without being detected.

The interesting APT-related angle to Shady RAT is that the attackers failed to update their Trojan software attack functionality for more than a year and failed to encrypt the server used to control the Trojans (often used by Chinese attackers). As a result, they left a trail that McAfee's researchers ultimately spotted and traced to the command-and-control server. The attackers had already installed Web traffic analysis tools on the server, further aiding researchers.

But simply discovering that server was somewhat unusual. "It was great that McAfee was able to get access to this data and show how it works," Joe Stewart, director of malware research for Dell SecureWorks, told me last week at Black Hat.

Some security researchers, however, dispute that Shady RAT would even qualify as an APT. "I would contend that it isn't, especially when you consider the errors made in configuring the servers and the relatively non-sophisticated malware and techniques used in this case," said Symantec researcher Hon Lau in a blog post. "Sure, the people behind it are persistent, but no more so than the myriad of other malware groups out there such as Zeus, Tidserv, and others like them."

While McAfee's discovery of the mechanics behind the Shady RAT attacks was new, the existence of the group was already known. Stewart said it's often referred to as the "Comment Crew," for using HTML comments as a mechanism for communicating with the botnet command-and-control servers the group operates. "They've got lots of infrastructure behind it, stuff we'll never get access to," he said. But the group has left tracks before. "One of the malware families belonging to this group is one that we saw using HTran, and sending its data back to China," Stewart said.

As a result of that traffic flow, security experts suspect the Comment Crew is operating from China. McAfee, while saying that it saw a solo "state actor" behind the attacks, stopped short of pointing fingers. Likewise, Alex Gostev, chief security expert for Kaspersky Lab, said that without hard evidence, people should beware jumping to conclusions about who's behind this attack, especially when it comes to the motives of criminal organizations.

For starters, Gostev said, the circumstances surrounding Shady RAT's discovery make the suggestion of state-sponsored hacking tenuous. "A situation in which a complicated and large-scale corporate espionage operation has alleged to have been undertaken for years but whose sophisticated organizers do not clean up their server access logs after them--this is something that can certainly be described as unusual," he said.

Furthermore, when it comes to how Shady RAT was used, McAfee has assumed--based on logs of connections between Web servers--that large organizations were spied on. But the report doesn't identity data that might have been stolen, or which specific Trojan applications were used, which makes it unclear what type of damage Shady RAT may even have caused, Gostev said.

"Until the information in the McAfee report is backed up by evidence, to talk about the biggest cyberattack in history is premature," he said. "Until then, we will consider it an original way of approaching the start of the annual Black Hat conference in Las Vegas."

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Google Lets iPhone Users Turn Device into Security Key
Kelly Sheridan, Staff Editor, Dark Reading,  1/15/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-22
Multiple Cross-site Scripting (XSS) vulnerabilities exist in Joomla! through 1.7.0 in index.php in the search word, extension, asset, and author parameters.
PUBLISHED: 2020-01-22
A Cross-site Scripting (XSS) vulnerability exists in the Serendipity freetag plugin before 3.30 in the tagcloud parameter to plugins/serendipity_event_freetag/tagcloud.swf.
PUBLISHED: 2020-01-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2019. Notes: none.
PUBLISHED: 2020-01-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2019. Notes: none.
PUBLISHED: 2020-01-22
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2019. Notes: none.