Joe Stewart, Dell SecureWorks’ Director of Malware Research, and the Counter Threat Unit (CTU) research team have long been researching Advanced Persistent Threat (APT) hacking activity. Since different entities may use the term APT differently, it is important to define the term as used in this analysis. According to Stewart , APT is best defined as “cyber-espionage activity targeted at government, industry or activists.”
To date, Stewart and the CTU have catalogued over 60 different families of custom malware involved in APT activity. Stewart and the CTU have developed countermeasures and Threat Intelligence to detect this malware. During this research, Stewart discovered that the hackers using these APT malware families sometimes use a common tool in order to disguise the location of their command-and-control (C2) servers. This tool is known as “HTran”.
HTran is a connection bouncer, sort of like a simplified reverse proxy server. Hackers can install an HTran listener on a host anywhere on the Internet (most often on hacked third-party servers), and bounce incoming connections back to their real C2 server. HTran was authored by “lion”, a well-known Chinese hacker and reported founder of the Honker Union of China (HUC), a patriotic hacking group in the People’s Republic of China (PRC). The name “HTran” actually stands for “HUC Packet Transmit Tool”.
What led Stewart to the discovery of the common use of HTran was an error message that HTran emits to connecting clients whenever the hidden backend C2 server is unreachable. By creating a system to establish regular connections to a list of over 1,000 IP addresses known by the CTU to be associated with APT activity bouncers, Stewart was able to uncover several HTran installations that eventually reported error messages revealing the IP address of the true C2 controllers. While all of the found HTran installations were on computers in the U.S., Europe, Japan and Taiwan, all of the hidden C2 controllers they redirected traffic to were located on just a few networks in the PRC.
Two of the families of malware, where variants were discovered using HTran bouncers, can be directly connected to the RSA Security breach disclosed in March 2011, based on related samples analyzed by Stewart that use C2s from the list disclosed in the CERT bulletin “EWIN-11-077″.
All of the detected HTran and hidden C2 IP addresses are listed in the full report, along with information and Snort signatures which can enable other institutions to detect HTran error messages in network
traffic and possibly uncover not only latent APT activity, but also the true destination of any data that would be exfiltrated.
I had the opportunity to interview Joe Stewart from Black Hat about HTran.
The research started as Joe focused on APT because of a number of reasons. He set about to classify APT, to survey the malware environment and how the APT malware is related as well as how the infrastructure they share is related. A bunch of malware samples related to but not used in the RSA attack and looking at the network traffic he saw a pattern. It was an error message from HTran saying that it couldn’t bounce. So he wondered, how many of these bouncers are there and can we find out where the systems are that are on the other side of the bouncer.
HTran basically gives away the IP address of the hosts that are on the back side. HTran came out in 2000 and is a popular bouncer used widely in hacking so this is significant because it could lend insight to how to combat HTran.
He’s got over 6,000 back end hosts identified and over 60 individual strains of malware isolated as results of this analysis. After resolving all of the host names he ended up with about 1000 IP addresses. He started to connect to them every 10 minutes with software he wrote to obtain that error message from the servers. From those 1000 he ended up with 18 back end servers.
Joe’s written 2 snort rules to detect the activity so this functionality has been rolled out to SecureWorks customers already. The snort rules were publicly posted on Wednesday so anyone running an open source based IPS can take advantage of this knowledge. Someone who has malware using the HTran network could install these rules and spot the traffic in order to protect themselves.
The research is available in full.