Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:16 PM
Connect Directly

APT Attackers Used Chinese-Authored Hacker Tool To Hide Their Tracks

Separate APT research efforts detail ongoing 'Operation Shady RAT' cyberespionage attacks

BLACK HAT USA 2011 -- Las Vegas -- The advanced persistent threat (APT) attackers behind the newly revealed Operation Shady RAT also deployed a tool called HTran that helps disguise their location.

Click here for more of Dark Reading's Black Hat articles.

Joe Stewart, director of malware research for Dell SecureWorks' counter threat unit research team, has been studying some 60 different families of malware used by APT attackers in their cyberespionage attacks. He recently discovered a pattern in which many of these attackers use HTran, written 10 years ago by a Chinese hacker, to hide their whereabouts. Stewart, who published research on the tool's use today in APT malware, says the Operation Shady RAT attackers are among those who use the tool for camouflaging purposes.

McAfee today unmasked an APT-type attack campaign that has been ongoing worldwide for five years; the attack has stolen intellectual property from 70 government agencies, international corporations, nonprofits, and others in 14 countries. McAfee gathered data (PDF) on the attacks after accessing one command-and-control (C&C) server, collecting logs that date back to 2006.

It also turns out that a recently discovered targeted attack against Defense contractors, studied by researchers at Invincea and ThreatGrid, which used a phishing email with a link to a rigged spreadsheet containing a real list of high-level defense industry executives who attended a recent Intelligence Advanced Research Projects Activity (IARPA) event, was also part of Operation Shady RAT.

The embedded URL, which used a legitimate-looking domain, provided a ZIP archive to the attendee roster, complete with names of directors, presidents, and CEOs at major Defense and intelligence companies. The XLS-looking file is actually an executable that extracts another custom program that's an HTTP client that beacons out to the command and control server, according to Anup Ghosh, founder and CEO of Invincea.

The executable file was a remote C&C Trojan hosted on a website that gives the attackers full control of the victim's machine and Internet settings in the registry, and is able to update the root certificate lists that could be used for SSL man-in-the-middle attacks.

Meanwhile, SecureWorks' Stewart first found the HTran connection in APT malware when studying traffic patterns of the malware. "I found one error message return from a controller ... telling me, 'I'm not the controller, here's where it is.' Why would you have a nice error message that says here's the destination of the actual C&C on a silver platter?" he says.

That error message inadvertently led him to HTran, a hacking tool written a decade ago by "Lion," a patriotic hacker from China. "It lets you bounce connections. Ten years later, they are using this tool to disguise the location of an APT botnet," Stewart says.

"Whoever was using the tool didn't realize fully how it works, with this error message being sent," he says. "So I got an interesting opportunity to get a big list of IP addresses associated with APTs -- how many are using this and how many hidden destinations."

Stewart was able to locate the actual C&C servers used by the attackers, and narrowed down the main hubs in Beijing and Shanghai. "They are coming back and conversing with just a few networks in China," he says.

And two of the APT malware families Stewart studied were used in the RSA breach in March, he says. All indications suggest the attacks originated in China. "This pretty much points to China," Stewart says. "They are trying to hide their tracks and conceal their location. But it all points back to the same places … But we don't know what that network represents: Is it dial-up? A VPN endpoint? A cloud attached to it? There's a cluster of activity trying to hide at this location."

Meanwhile, security experts who investigate these cyberespionage-driven attacks say McAfee's news of the Operation Shady RAT attacks is really nothing new. There are many such attacks under way in the federal government and private industry, most of which have not been publicized in order to gather more intelligence on the attackers -- and in some cases, to avoid any PR fallout for the victims.

"This is not new -- these types of attacks have been going on" for some time, says Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab. "There aren't many details" in the report, however, he notes.

But McAfee's revelation of the targeted attack campaign could impede other forensic investigations into the attacks, and possibly derail any inside track investigators might be holding, security experts say.

Richard Bejtlich, chief security officer and vice president of managed services for Mandiant, says the newly released information basically might have "burned a resource" on the attacks. "Some organizations have been working on these investigations since 2006," he says.

Even so, experts say that shedding the spotlight on the pervasiveness and intensity of the attacks is helpful. One challenge with any APT investigation is the ability to pinpoint exactly where one attack starts and another ends: Victims often find multiple attack groups have infiltrated them.

"Sometimes evidence points to one particular threat actor, but then maybe too much," Kaspersky's Schouwenberg says. Sometimes, attackers try to mimic one another to throw off investigators, he says. "They could be trying to incriminate another one. It gets very muddy very fast" with these attacks, he says.

Invincea's Ghosh says the good news is that McAfee did not reveal the C&C servers they captured, and that the report illuminates how cyberespionage is more than just a Defense industry problem.

"I think McAfee did the right thing in painting the broader strokes to this story -- that it isn't isolated to the Defense industry, and that in fact it hits horizontally across all major industries, even ones they didn't mention. They didn't reveal the command-and-control servers they ended up capturing, so I don't think there is risk of exposing an operation," Ghosh says. "However, it is time to put this information out to the public so people, and companies in particular, have a broader awareness of what is happening. They didn't reveal the sophistication of the methods, though they hinted at it."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How to Think Like a Hacker
Dr. Giovanni Vigna, Chief Technology Officer at Lastline,  10/10/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-16
A Local Privilege Escalation vulnerability exists in the GlobalProtect Agent for Windows 5.0.3 and earlier, and GlobalProtect Agent for Windows 4.1.12 and earlier, in which the auto-update feature can allow for modification of a GlobalProtect Agent MSI installer package on disk before installation.
PUBLISHED: 2019-10-16
A Local Privilege Escalation vulnerability exists in GlobalProtect Agent for Linux and Mac OS X version 5.0.4 and earlier and version 4.1.12 and earlier, that can allow non-root users to overwrite root files on the file system.
PUBLISHED: 2019-10-16
There are some web interfaces without authentication requirements on D-Link DIR-412 A1-1.14WW routers. An attacker can clear the router's log file via act=clear&logtype=sysact to log_clear.php, which could be used to erase attack traces.
PUBLISHED: 2019-10-16
A vulnerability in the CLI of Cisco TelePresence Collaboration Endpoint (CE) Software could allow an authenticated, local attacker to execute code with root privileges. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating as the re...
PUBLISHED: 2019-10-16
A vulnerability in the web-based management interface of Cisco Firepower Management Center (FMC) Software could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the web-based management interface. The vulnerability is due to insufficient...