Dell’s security division has unearthed the HTran bouncer that acted as a go-between in the RSA Security hack
SecureWorks, Dell’s security division, have uncovered a new hacking tool named HTran. The kit came to light when the group was investigating the Advanced Persistant Threat (APT) that penetrated the defences of EMC’s RSA Security.
HTran is used by many APT hackers to disguise the location of their command and control (C2) servers. To date, Joe Stewart, Dell SecureWorks director of Malware Research, in conjunction with the company’s Counter Threat Unit (CTU) researchers have uncovered 60 different families of custom (targeted) malware used to mount complex APT attacks.
C2 connection bouncer
HTran is a connection bouncer, a kind of proxy server. A “listener” program is hacked stealthily onto an unsuspecting host anywhere on the Internet. When it receives signals from the actual target system, it redirects it to the hacker’s server.
The code was developed by “lion”, a Chinese hacker who is often credited as being the founder of the Honker Union of China (HUC). This group is patriotic to the People’s Republic of China and may be tied to the government – or at least in sympathy with it. The name of the connection bouncer is derived from HUC Packet Transmit Tool, HTran’s official name.
When Stewart was investigating RSA Security’s breach, HTran would send an error message whenever the C2 server behind it was offline or unreachable. During their research into APT systems, Stewart and the CTU team had located the IP addresses of over 1,000 APT activity bouncers. By carefully logging behaviour, Stewart discovered several HTran installations and their error messages led him to the IP address of the real C2 servers.
The HTran systems were spread around the world in the US, Europe, Japan and Taiwan but all of the actual C2 hosts pointed to IP addresses located in China. Most of these destination IPs belong to large Chinese ISPs so actually locating the real C2 servers would be difficult or impossible without the co-operation of the Chinese government, Stewart said.
At the other end of the connections, he discovered that two of the families of malware were directly linked to the RSA breach disclosed last March. The C2 servers connecting through were disclosed in the CERT bulletin “EWIN-11-077”. This Early Warning and Indicator Notice details servers used in the RSA APT hack.
Help For APT Targets
Stewart has listed all of the HTran and hidden C2 servers’ IP addresses, with Snort signatures, in his report to assist other researchers. This, he hopes, will allow them to find HTran errors that indicate latent APT activity and through that the destination C2 servers for the exfiltrated (exported) data.
The report concludes: “This particular hole in the operational security of a certain group of APT actors may soon be closed, however it is impossible for them to erase the evidence gathered before that time. It is our hope that every institution potentially impacted by APT activity will make haste to search out signs of this activity for themselves before the window of opportunity closes.”