Attacks/Breaches
8/3/2011
07:16 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

APT Attackers Used Chinese-Authored Hacker Tool To Hide Their Tracks

Separate APT research efforts detail ongoing 'Operation Shady RAT' cyberespionage attacks

BLACK HAT USA 2011 -- Las Vegas -- The advanced persistent threat (APT) attackers behind the newly revealed Operation Shady RAT also deployed a tool called HTran that helps disguise their location.

Click here for more of Dark Reading's Black Hat articles.

Joe Stewart, director of malware research for Dell SecureWorks' counter threat unit research team, has been studying some 60 different families of malware used by APT attackers in their cyberespionage attacks. He recently discovered a pattern in which many of these attackers use HTran, written 10 years ago by a Chinese hacker, to hide their whereabouts. Stewart, who published research on the tool's use today in APT malware, says the Operation Shady RAT attackers are among those who use the tool for camouflaging purposes.

McAfee today unmasked an APT-type attack campaign that has been ongoing worldwide for five years; the attack has stolen intellectual property from 70 government agencies, international corporations, nonprofits, and others in 14 countries. McAfee gathered data (PDF) on the attacks after accessing one command-and-control (C&C) server, collecting logs that date back to 2006.

It also turns out that a recently discovered targeted attack against Defense contractors, studied by researchers at Invincea and ThreatGrid, which used a phishing email with a link to a rigged spreadsheet containing a real list of high-level defense industry executives who attended a recent Intelligence Advanced Research Projects Activity (IARPA) event, was also part of Operation Shady RAT.

The embedded URL, which used a legitimate-looking domain, provided a ZIP archive to the attendee roster, complete with names of directors, presidents, and CEOs at major Defense and intelligence companies. The XLS-looking file is actually an executable that extracts another custom program that's an HTTP client that beacons out to the command and control server, according to Anup Ghosh, founder and CEO of Invincea.

The executable file was a remote C&C Trojan hosted on a website that gives the attackers full control of the victim's machine and Internet settings in the registry, and is able to update the root certificate lists that could be used for SSL man-in-the-middle attacks.

Meanwhile, SecureWorks' Stewart first found the HTran connection in APT malware when studying traffic patterns of the malware. "I found one error message return from a controller ... telling me, 'I'm not the controller, here's where it is.' Why would you have a nice error message that says here's the destination of the actual C&C on a silver platter?" he says.

That error message inadvertently led him to HTran, a hacking tool written a decade ago by "Lion," a patriotic hacker from China. "It lets you bounce connections. Ten years later, they are using this tool to disguise the location of an APT botnet," Stewart says.

"Whoever was using the tool didn't realize fully how it works, with this error message being sent," he says. "So I got an interesting opportunity to get a big list of IP addresses associated with APTs -- how many are using this and how many hidden destinations."

Stewart was able to locate the actual C&C servers used by the attackers, and narrowed down the main hubs in Beijing and Shanghai. "They are coming back and conversing with just a few networks in China," he says.

And two of the APT malware families Stewart studied were used in the RSA breach in March, he says. All indications suggest the attacks originated in China. "This pretty much points to China," Stewart says. "They are trying to hide their tracks and conceal their location. But it all points back to the same places … But we don't know what that network represents: Is it dial-up? A VPN endpoint? A cloud attached to it? There's a cluster of activity trying to hide at this location."

Meanwhile, security experts who investigate these cyberespionage-driven attacks say McAfee's news of the Operation Shady RAT attacks is really nothing new. There are many such attacks under way in the federal government and private industry, most of which have not been publicized in order to gather more intelligence on the attackers -- and in some cases, to avoid any PR fallout for the victims.

"This is not new -- these types of attacks have been going on" for some time, says Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab. "There aren't many details" in the report, however, he notes.

But McAfee's revelation of the targeted attack campaign could impede other forensic investigations into the attacks, and possibly derail any inside track investigators might be holding, security experts say.

Richard Bejtlich, chief security officer and vice president of managed services for Mandiant, says the newly released information basically might have "burned a resource" on the attacks. "Some organizations have been working on these investigations since 2006," he says.

Even so, experts say that shedding the spotlight on the pervasiveness and intensity of the attacks is helpful. One challenge with any APT investigation is the ability to pinpoint exactly where one attack starts and another ends: Victims often find multiple attack groups have infiltrated them.

"Sometimes evidence points to one particular threat actor, but then maybe too much," Kaspersky's Schouwenberg says. Sometimes, attackers try to mimic one another to throw off investigators, he says. "They could be trying to incriminate another one. It gets very muddy very fast" with these attacks, he says.

Invincea's Ghosh says the good news is that McAfee did not reveal the C&C servers they captured, and that the report illuminates how cyberespionage is more than just a Defense industry problem.

"I think McAfee did the right thing in painting the broader strokes to this story -- that it isn't isolated to the Defense industry, and that in fact it hits horizontally across all major industries, even ones they didn't mention. They didn't reveal the command-and-control servers they ended up capturing, so I don't think there is risk of exposing an operation," Ghosh says. "However, it is time to put this information out to the public so people, and companies in particular, have a broader awareness of what is happening. They didn't reveal the sophistication of the methods, though they hinted at it."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5700
Published: 2014-09-22
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some o...

CVE-2014-0484
Published: 2014-09-22
The Debian acpi-support package before 0.140-5+deb7u3 allows local users to gain privileges via vectors related to the "user's environment."

CVE-2014-2942
Published: 2014-09-22
Cobham Aviator 700D and 700E satellite terminals use an improper algorithm for PIN codes, which makes it easier for attackers to obtain a privileged terminal session by calculating the superuser code, and then leveraging physical access or terminal access to enter this code.

CVE-2014-3595
Published: 2014-09-22
Cross-site scripting (XSS) vulnerability in spacewalk-java 1.2.39, 1.7.54, and 2.0.2 in Spacewalk and Red Hat Network (RHN) Satellite 5.4 through 5.6 allows remote attackers to inject arbitrary web script or HTML via a crafted request that is not properly handled when logging.

CVE-2014-3635
Published: 2014-09-22
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows remote attackers to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one m...

Best of the Web
Dark Reading Radio