Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:16 PM
Connect Directly

APT Attackers Used Chinese-Authored Hacker Tool To Hide Their Tracks

Separate APT research efforts detail ongoing 'Operation Shady RAT' cyberespionage attacks

BLACK HAT USA 2011 -- Las Vegas -- The advanced persistent threat (APT) attackers behind the newly revealed Operation Shady RAT also deployed a tool called HTran that helps disguise their location.

Click here for more of Dark Reading's Black Hat articles.

Joe Stewart, director of malware research for Dell SecureWorks' counter threat unit research team, has been studying some 60 different families of malware used by APT attackers in their cyberespionage attacks. He recently discovered a pattern in which many of these attackers use HTran, written 10 years ago by a Chinese hacker, to hide their whereabouts. Stewart, who published research on the tool's use today in APT malware, says the Operation Shady RAT attackers are among those who use the tool for camouflaging purposes.

McAfee today unmasked an APT-type attack campaign that has been ongoing worldwide for five years; the attack has stolen intellectual property from 70 government agencies, international corporations, nonprofits, and others in 14 countries. McAfee gathered data (PDF) on the attacks after accessing one command-and-control (C&C) server, collecting logs that date back to 2006.

It also turns out that a recently discovered targeted attack against Defense contractors, studied by researchers at Invincea and ThreatGrid, which used a phishing email with a link to a rigged spreadsheet containing a real list of high-level defense industry executives who attended a recent Intelligence Advanced Research Projects Activity (IARPA) event, was also part of Operation Shady RAT.

The embedded URL, which used a legitimate-looking domain, provided a ZIP archive to the attendee roster, complete with names of directors, presidents, and CEOs at major Defense and intelligence companies. The XLS-looking file is actually an executable that extracts another custom program that's an HTTP client that beacons out to the command and control server, according to Anup Ghosh, founder and CEO of Invincea.

The executable file was a remote C&C Trojan hosted on a website that gives the attackers full control of the victim's machine and Internet settings in the registry, and is able to update the root certificate lists that could be used for SSL man-in-the-middle attacks.

Meanwhile, SecureWorks' Stewart first found the HTran connection in APT malware when studying traffic patterns of the malware. "I found one error message return from a controller ... telling me, 'I'm not the controller, here's where it is.' Why would you have a nice error message that says here's the destination of the actual C&C on a silver platter?" he says.

That error message inadvertently led him to HTran, a hacking tool written a decade ago by "Lion," a patriotic hacker from China. "It lets you bounce connections. Ten years later, they are using this tool to disguise the location of an APT botnet," Stewart says.

"Whoever was using the tool didn't realize fully how it works, with this error message being sent," he says. "So I got an interesting opportunity to get a big list of IP addresses associated with APTs -- how many are using this and how many hidden destinations."

Stewart was able to locate the actual C&C servers used by the attackers, and narrowed down the main hubs in Beijing and Shanghai. "They are coming back and conversing with just a few networks in China," he says.

And two of the APT malware families Stewart studied were used in the RSA breach in March, he says. All indications suggest the attacks originated in China. "This pretty much points to China," Stewart says. "They are trying to hide their tracks and conceal their location. But it all points back to the same places … But we don't know what that network represents: Is it dial-up? A VPN endpoint? A cloud attached to it? There's a cluster of activity trying to hide at this location."

Meanwhile, security experts who investigate these cyberespionage-driven attacks say McAfee's news of the Operation Shady RAT attacks is really nothing new. There are many such attacks under way in the federal government and private industry, most of which have not been publicized in order to gather more intelligence on the attackers -- and in some cases, to avoid any PR fallout for the victims.

"This is not new -- these types of attacks have been going on" for some time, says Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab. "There aren't many details" in the report, however, he notes.

But McAfee's revelation of the targeted attack campaign could impede other forensic investigations into the attacks, and possibly derail any inside track investigators might be holding, security experts say.

Richard Bejtlich, chief security officer and vice president of managed services for Mandiant, says the newly released information basically might have "burned a resource" on the attacks. "Some organizations have been working on these investigations since 2006," he says.

Even so, experts say that shedding the spotlight on the pervasiveness and intensity of the attacks is helpful. One challenge with any APT investigation is the ability to pinpoint exactly where one attack starts and another ends: Victims often find multiple attack groups have infiltrated them.

"Sometimes evidence points to one particular threat actor, but then maybe too much," Kaspersky's Schouwenberg says. Sometimes, attackers try to mimic one another to throw off investigators, he says. "They could be trying to incriminate another one. It gets very muddy very fast" with these attacks, he says.

Invincea's Ghosh says the good news is that McAfee did not reveal the C&C servers they captured, and that the report illuminates how cyberespionage is more than just a Defense industry problem.

"I think McAfee did the right thing in painting the broader strokes to this story -- that it isn't isolated to the Defense industry, and that in fact it hits horizontally across all major industries, even ones they didn't mention. They didn't reveal the command-and-control servers they ended up capturing, so I don't think there is risk of exposing an operation," Ghosh says. "However, it is time to put this information out to the public so people, and companies in particular, have a broader awareness of what is happening. They didn't reveal the sophistication of the methods, though they hinted at it."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Data Loss Spikes Under COVID-19 Lockdowns
Seth Rosenblatt, Contributing Writer,  5/28/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-04
ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attac...
PUBLISHED: 2020-06-04
In Zoho ManageEngine OpManager before 125144, when <cachestart> is used, directory traversal validation can be bypassed.
PUBLISHED: 2020-06-04
An improper neutralization of input vulnerability in the Admin Profile of FortiAnalyzer may allow a remote authenticated attacker to perform a stored cross site scripting attack (XSS) via the Description Area.
PUBLISHED: 2020-06-04
An unquoted service path vulnerability in the FortiSIEM Windows Agent component may allow an attacker to gain elevated privileges via the AoWinAgt executable service path.
PUBLISHED: 2020-06-04
Use of a hard-coded cryptographic key to encrypt security sensitive data in local storage and configuration in FortiClient for Windows prior to 6.4.0 may allow an attacker with access to the local storage or the configuration backup file to decrypt the sensitive data via knowledge of the hard-coded ...