McAfee published an interesting report yesterday about what they called Operation Shady RAT, focusing on a series of what some may call “advanced persistent threat” attacks. The attacks were dubbed in some quarters as “one of the largest series of cyber attacks ever.” While quite a bit of data was presented regarding the potential scale of these attacks, details on the threats and how the attacks were staged were somewhat limited.

Based on the information we managed to glean from the report and our own intelligence sources, we have identified the initial attack vectors, the threats used and how the attack was staged. In addition to all this, we have also uncovered what appears to be the same information source about the victims of the attacks that was used by McAfee as the basis of their report. This information is freely available on the attackers’ command and control site, which is a strange oversight considering this type of attack is often described as “advanced” or “sophisticated.”

The attack mainly comprises of three stages, which are detailed at the Symantec blog.