Chinese HTran Root To RSA Hack Revealed By Dell

SecureWorks, Dell’s security division, have uncovered a new hacking tool named HTran. The kit came to light when the group was investigating the Advanced Persistant Threat (APT) that penetrated the defences of EMC’s RSA Security.

HTran is used by many APT hackers to disguise the location of their command and control (C2) servers. To date, Joe Stewart, Dell SecureWorks director of Malware Research, in conjunction with the company’s Counter Threat Unit (CTU) researchers have uncovered 60 different families of custom (targeted) malware used to mount complex APT attacks.

C2 connection bouncer

HTran is a connection bouncer, a kind of proxy server. A “listener” program is hacked stealthily onto an unsuspecting host anywhere on the Internet. When it receives signals from the actual target system, it redirects it to the hacker’s server.

The code was developed by “lion”, a Chinese hacker who is often credited as being the founder of the Honker Union of China (HUC). This group is patriotic to the People’s Republic of China and may be tied to the government – or at least in sympathy with it. The name of the connection bouncer is derived from HUC Packet Transmit Tool, HTran’s official name.

When Stewart was investigating RSA Security’s breach, HTran would send an error message whenever the C2 server behind it was offline or unreachable. During their research into APT systems, Stewart and the CTU team had located the IP addresses of over 1,000 APT activity bouncers. By carefully logging behaviour, Stewart discovered several HTran installations and their error messages led him to the IP address of the real C2 servers.

The HTran systems were spread around the world in the US, Europe, Japan and Taiwan but all of the actual C2 hosts pointed to IP addresses located in China. Most of these destination IPs belong to large Chinese ISPs so actually locating the real C2 servers would be difficult or impossible without the co-operation of the Chinese government, Stewart said.

At the other end of the connections, he discovered that two of the families of malware were directly linked to the RSA breach disclosed last March. The C2 servers connecting through were disclosed in the CERT bulletin “EWIN-11-077”. This Early Warning and Indicator Notice details servers used in the RSA APT hack.

Help For APT Targets

Stewart has listed all of the HTran and hidden C2 servers’ IP addresses, with Snort signatures, in his report to assist other researchers. This, he hopes, will allow them to find HTran errors that indicate latent APT activity and through that the destination C2 servers for the exfiltrated (exported) data.

The report concludes: “This particular hole in the operational security of a certain group of APT actors may soon be closed, however it is impossible for them to erase the evidence gathered before that time. It is our hope that every institution potentially impacted by APT activity will make haste to search out signs of this activity for themselves before the window of opportunity closes.”

Eric Doyle, ChannelBiz

Eric is a veteran British tech journalist, currently editing ChannelBiz for NetMediaEurope. With expertise in security, the channel, and Britain's startup culture, through his TechBritannia initiative

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

11 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

14 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

15 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

16 hours ago