Attacks/Breaches
8/3/2011
07:16 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

APT Attackers Used Chinese-Authored Hacker Tool To Hide Their Tracks

Separate APT research efforts detail ongoing 'Operation Shady RAT' cyberespionage attacks

BLACK HAT USA 2011 -- Las Vegas -- The advanced persistent threat (APT) attackers behind the newly revealed Operation Shady RAT also deployed a tool called HTran that helps disguise their location.

Click here for more of Dark Reading's Black Hat articles.

Joe Stewart, director of malware research for Dell SecureWorks' counter threat unit research team, has been studying some 60 different families of malware used by APT attackers in their cyberespionage attacks. He recently discovered a pattern in which many of these attackers use HTran, written 10 years ago by a Chinese hacker, to hide their whereabouts. Stewart, who published research on the tool's use today in APT malware, says the Operation Shady RAT attackers are among those who use the tool for camouflaging purposes.

McAfee today unmasked an APT-type attack campaign that has been ongoing worldwide for five years; the attack has stolen intellectual property from 70 government agencies, international corporations, nonprofits, and others in 14 countries. McAfee gathered data (PDF) on the attacks after accessing one command-and-control (C&C) server, collecting logs that date back to 2006.

It also turns out that a recently discovered targeted attack against Defense contractors, studied by researchers at Invincea and ThreatGrid, which used a phishing email with a link to a rigged spreadsheet containing a real list of high-level defense industry executives who attended a recent Intelligence Advanced Research Projects Activity (IARPA) event, was also part of Operation Shady RAT.

The embedded URL, which used a legitimate-looking domain, provided a ZIP archive to the attendee roster, complete with names of directors, presidents, and CEOs at major Defense and intelligence companies. The XLS-looking file is actually an executable that extracts another custom program that's an HTTP client that beacons out to the command and control server, according to Anup Ghosh, founder and CEO of Invincea.

The executable file was a remote C&C Trojan hosted on a website that gives the attackers full control of the victim's machine and Internet settings in the registry, and is able to update the root certificate lists that could be used for SSL man-in-the-middle attacks.

Meanwhile, SecureWorks' Stewart first found the HTran connection in APT malware when studying traffic patterns of the malware. "I found one error message return from a controller ... telling me, 'I'm not the controller, here's where it is.' Why would you have a nice error message that says here's the destination of the actual C&C on a silver platter?" he says.

That error message inadvertently led him to HTran, a hacking tool written a decade ago by "Lion," a patriotic hacker from China. "It lets you bounce connections. Ten years later, they are using this tool to disguise the location of an APT botnet," Stewart says.

"Whoever was using the tool didn't realize fully how it works, with this error message being sent," he says. "So I got an interesting opportunity to get a big list of IP addresses associated with APTs -- how many are using this and how many hidden destinations."

Stewart was able to locate the actual C&C servers used by the attackers, and narrowed down the main hubs in Beijing and Shanghai. "They are coming back and conversing with just a few networks in China," he says.

And two of the APT malware families Stewart studied were used in the RSA breach in March, he says. All indications suggest the attacks originated in China. "This pretty much points to China," Stewart says. "They are trying to hide their tracks and conceal their location. But it all points back to the same places … But we don't know what that network represents: Is it dial-up? A VPN endpoint? A cloud attached to it? There's a cluster of activity trying to hide at this location."

Meanwhile, security experts who investigate these cyberespionage-driven attacks say McAfee's news of the Operation Shady RAT attacks is really nothing new. There are many such attacks under way in the federal government and private industry, most of which have not been publicized in order to gather more intelligence on the attackers -- and in some cases, to avoid any PR fallout for the victims.

"This is not new -- these types of attacks have been going on" for some time, says Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab. "There aren't many details" in the report, however, he notes.

But McAfee's revelation of the targeted attack campaign could impede other forensic investigations into the attacks, and possibly derail any inside track investigators might be holding, security experts say.

Richard Bejtlich, chief security officer and vice president of managed services for Mandiant, says the newly released information basically might have "burned a resource" on the attacks. "Some organizations have been working on these investigations since 2006," he says.

Even so, experts say that shedding the spotlight on the pervasiveness and intensity of the attacks is helpful. One challenge with any APT investigation is the ability to pinpoint exactly where one attack starts and another ends: Victims often find multiple attack groups have infiltrated them.

"Sometimes evidence points to one particular threat actor, but then maybe too much," Kaspersky's Schouwenberg says. Sometimes, attackers try to mimic one another to throw off investigators, he says. "They could be trying to incriminate another one. It gets very muddy very fast" with these attacks, he says.

Invincea's Ghosh says the good news is that McAfee did not reveal the C&C servers they captured, and that the report illuminates how cyberespionage is more than just a Defense industry problem.

"I think McAfee did the right thing in painting the broader strokes to this story -- that it isn't isolated to the Defense industry, and that in fact it hits horizontally across all major industries, even ones they didn't mention. They didn't reveal the command-and-control servers they ended up capturing, so I don't think there is risk of exposing an operation," Ghosh says. "However, it is time to put this information out to the public so people, and companies in particular, have a broader awareness of what is happening. They didn't reveal the sophistication of the methods, though they hinted at it."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2021
Published: 2014-10-24
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.4.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.

CVE-2014-3604
Published: 2014-10-24
Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2014-6230
Published: 2014-10-24
WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header.

CVE-2014-6251
Published: 2014-10-24
Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote attackers to have an unspecified impact by sending a mining.subscribe response with a large nonce2 length, then triggering the overflow with a mining.notify request.

CVE-2014-7180
Published: 2014-10-24
Electric Cloud ElectricCommander before 4.2.6 and 5.x before 5.0.3 uses world-writable permissions for (1) eccert.pl and (2) ecconfigure.pl, which allows local users to execute arbitrary Perl code by modifying these files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.