APT Attackers Used Chinese-Authored Hacker Tool To Hide Their Tracks

Separate APT research efforts detail ongoing 'Operation Shady RAT' cyberespionage attacks

BLACK HAT USA 2011 -- Las Vegas -- The advanced persistent threat (APT) attackers behind the newly revealed Operation Shady RAT also deployed a tool called HTran that helps disguise their location.

Joe Stewart, director of malware research for Dell SecureWorks' counter threat unit research team, has been studying some 60 different families of malware used by APT attackers in their cyberespionage attacks. He recently discovered a pattern in which many of these attackers use HTran, written 10 years ago by a Chinese hacker, to hide their whereabouts. Stewart, who published research on the tool's use today in APT malware, says the Operation Shady RAT attackers are among those who use the tool for camouflaging purposes.

McAfee today unmasked an APT-type attack campaign that has been ongoing worldwide for five years; the attack has stolen intellectual property from 70 government agencies, international corporations, nonprofits, and others in 14 countries. McAfee gathered data (PDF) on the attacks after accessing one command-and-control (C&C) server, collecting logs that date back to 2006.

It also turns out that a recently discovered targeted attack against Defense contractors, studied by researchers at Invincea and ThreatGrid, which used a phishing email with a link to a rigged spreadsheet containing a real list of high-level defense industry executives who attended a recent Intelligence Advanced Research Projects Activity (IARPA) event, was also part of Operation Shady RAT.

The embedded URL, which used a legitimate-looking domain, provided a ZIP archive to the attendee roster, complete with names of directors, presidents, and CEOs at major Defense and intelligence companies. The XLS-looking file is actually an executable that extracts another custom program that's an HTTP client that beacons out to the command and control server, according to Anup Ghosh, founder and CEO of Invincea.

The executable file was a remote C&C Trojan hosted on a website that gives the attackers full control of the victim's machine and Internet settings in the registry, and is able to update the root certificate lists that could be used for SSL man-in-the-middle attacks.

Meanwhile, SecureWorks' Stewart first found the HTran connection in APT malware when studying traffic patterns of the malware. "I found one error message return from a controller ... telling me, 'I'm not the controller, here's where it is.' Why would you have a nice error message that says here's the destination of the actual C&C on a silver platter?" he says.

That error message inadvertently led him to HTran, a hacking tool written a decade ago by "Lion," a patriotic hacker from China. "It lets you bounce connections. Ten years later, they are using this tool to disguise the location of an APT botnet," Stewart says.

"Whoever was using the tool didn't realize fully how it works, with this error message being sent," he says. "So I got an interesting opportunity to get a big list of IP addresses associated with APTs -- how many are using this and how many hidden destinations."

Stewart was able to locate the actual C&C servers used by the attackers, and narrowed down the main hubs in Beijing and Shanghai. "They are coming back and conversing with just a few networks in China," he says.

And two of the APT malware families Stewart studied were used in the RSA breach in March, he says. All indications suggest the attacks originated in China. "This pretty much points to China," Stewart says. "They are trying to hide their tracks and conceal their location. But it all points back to the same places … But we don't know what that network represents: Is it dial-up? A VPN endpoint? A cloud attached to it? There's a cluster of activity trying to hide at this location."

Meanwhile, security experts who investigate these cyberespionage-driven attacks say McAfee's news of the Operation Shady RAT attacks is really nothing new. There are many such attacks under way in the federal government and private industry, most of which have not been publicized in order to gather more intelligence on the attackers -- and in some cases, to avoid any PR fallout for the victims.

"This is not new -- these types of attacks have been going on" for some time, says Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab. "There aren't many details" in the report, however, he notes.

But McAfee's revelation of the targeted attack campaign could impede other forensic investigations into the attacks, and possibly derail any inside track investigators might be holding, security experts say.

Richard Bejtlich, chief security officer and vice president of managed services for Mandiant, says the newly released information basically might have "burned a resource" on the attacks. "Some organizations have been working on these investigations since 2006," he says.

Even so, experts say that shedding the spotlight on the pervasiveness and intensity of the attacks is helpful. One challenge with any APT investigation is the ability to pinpoint exactly where one attack starts and another ends: Victims often find multiple attack groups have infiltrated them.

"Sometimes evidence points to one particular threat actor, but then maybe too much," Kaspersky's Schouwenberg says. Sometimes, attackers try to mimic one another to throw off investigators, he says. "They could be trying to incriminate another one. It gets very muddy very fast" with these attacks, he says.

Invincea's Ghosh says the good news is that McAfee did not reveal the C&C servers they captured, and that the report illuminates how cyberespionage is more than just a Defense industry problem.

"I think McAfee did the right thing in painting the broader strokes to this story -- that it isn't isolated to the Defense industry, and that in fact it hits horizontally across all major industries, even ones they didn't mention. They didn't reveal the command-and-control servers they ended up capturing, so I don't think there is risk of exposing an operation," Ghosh says. "However, it is time to put this information out to the public so people, and companies in particular, have a broader awareness of what is happening. They didn't reveal the sophistication of the methods, though they hinted at it."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Read more about:

Black Hat News

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights