Security Through ObscurityHow Shady RAT Attacks Used Images to Plant Malicious Code
Take a look at these images. Would they entice you to click on them?
A number of people working at governments and businesses around the world found them inviting enough to do just that, allowing a Trojan that already infected their computers to connect to a remote IP address. This helped the attackers behind Shady RAT to stage comprehensive breaches into a number of organizations, according to IT security provider Symantec.
Shady RAT, in a paper issued earlier this month by competing IT security provider McAfee, is the name given to a 5-year-long hack of 49 entities, including the United States and other governments, mostly in Asia, and major global organizations and businesses in the defense, finance and high-tech sectors, among others (see Is China the Nation Behind Shady RAT?).
According to an official Symantec blog, written by company employee Hon Lau, the images hid coding to command the infected computer to link to the remote IP address:
"Upon closer inspection of the file and the Trojan code, we can see that there are commands hidden in the image using steganography. These commands are totally invisible to the human eye, since the bits representing the commands are mathematically built into the data representing the image."
Steganography comes from the Greek words meaning concealed writing. In a contemporary context, Massachusetts Institute of Technology computer science professor Ronald Rivest defines steganography as "the art of hiding a secret message within a larger one in such a way that the adversary can not discern the presence or contents of the hidden message. For example, a message might be hidden within a picture by changing the low-order pixel bits to be the message bits."
Unlike traditional cryptography and encryption, steganography does not attract attention to itself, avoiding suspicion.
In its blog, Symantec' Hon Lau said he didn't agree with a conventional observation that Shady RAT was an advanced persistent threat because of "the errors made in configuring the servers and the relatively non-sophisticated malware and techniques used in this case. Sure the people behind it are persistent but no more so than the myriad of other malware groups out there such as Zeus, Tidserv, and others like them."
An APT or not, Shady RAT is a reminder of the ingenious techniques such as steganography hackers employ to fool too many of us to harm our computers and threaten the networks we rely on every day.