Shady Rat

By GoldSparrow in Remote Administration Tools

Threat Scorecard

Threat Level: 10 % (Normal)
Infected Computers: 1
First Seen: April 11, 2014
Last Seen: February 13, 2021
OS(es) Affected: Windows

The Shady Rat is a threat campaign that consists in one of the largest sustained threat attacks in recent history. The Shady Rat attacks have been comprised of three main stages. The aim of the Shady Rat attacks is to compromise targeted computers and profit by collecting data or using infected computers as part of other threatening activities.

The First Stage of the Shady Rat Attacks

In the first stage of the Shady Rat, targeted organizations are chosen. Then, email messages specifically targeted at specific individuals in these organizations are crafted and sent. These email messages will try to trick the victim into opening an attached file or clicking on an embedded link. The attachments are often bogus DOC, XLS or PDF documents which use exploits to append threatening code to the file. When the attached file is opened, a Trojan is installed on the victim's computer.

Stage Two of the Shady Rat

After the Shady Rat Trojan is installed, the Shady Rat makes contact with a remote server. The information for this remote server is coded directly into the Shady Rat Trojan. The Trojan will try to access an image file on the server. This is a defining characteristic of the Shady Rat and other recent threat attacks; they will hide their threatening code and commands in image and HTML files that may bypass certain filters. The commands are hidden using an ancient technique known as steganography in which data is hidden in the image in a way that is invisible to the eye.

The Last Stage of the Shady Rat

In the third stage of the Shady Rat attack, the Shady Rat allows the hacker at the remote computer to operate the infected computer from the remote connection. Using the Shady Rat, third parties may collect data, track on the infected computer, collect its content or operate it from a remote location. Through the infected computer, third parties may use the Shady Rat to breach the targeted organization in stage one of this attack. Some security researchers have suggested that the Shady Rat attacks may be sponsored by a government due to the type of targets, although it is still not clear if this is real.


Shady Rat may call the following URLs:


Most Viewed