Chinese HTran Root To RSA Hack Revealed By Dell

SecureWorks, Dell’s security division, have uncovered a new hacking tool named HTran. The kit came to light when the group was investigating the Advanced Persistant Threat (APT) that penetrated the defences of EMC’s RSA Security.

HTran is used by many APT hackers to disguise the location of their command and control (C2) servers. To date, Joe Stewart, Dell SecureWorks director of Malware Research, in conjunction with the company’s Counter Threat Unit (CTU) researchers have uncovered 60 different families of custom (targeted) malware used to mount complex APT attacks.

C2 connection bouncer

HTran is a connection bouncer, a kind of proxy server. A “listener” program is hacked stealthily onto an unsuspecting host anywhere on the Internet. When it receives signals from the actual target system, it redirects it to the hacker’s server.

The code was developed by “lion”, a Chinese hacker who is often credited as being the founder of the Honker Union of China (HUC). This group is patriotic to the People’s Republic of China and may be tied to the government – or at least in sympathy with it. The name of the connection bouncer is derived from HUC Packet Transmit Tool, HTran’s official name.

When Stewart was investigating RSA Security’s breach, HTran would send an error message whenever the C2 server behind it was offline or unreachable. During their research into APT systems, Stewart and the CTU team had located the IP addresses of over 1,000 APT activity bouncers. By carefully logging behaviour, Stewart discovered several HTran installations and their error messages led him to the IP address of the real C2 servers.

The HTran systems were spread around the world in the US, Europe, Japan and Taiwan but all of the actual C2 hosts pointed to IP addresses located in China. Most of these destination IPs belong to large Chinese ISPs so actually locating the real C2 servers would be difficult or impossible without the co-operation of the Chinese government, Stewart said.

At the other end of the connections, he discovered that two of the families of malware were directly linked to the RSA breach disclosed last March. The C2 servers connecting through were disclosed in the CERT bulletin “EWIN-11-077”. This Early Warning and Indicator Notice details servers used in the RSA APT hack.

Help For APT Targets

Stewart has listed all of the HTran and hidden C2 servers’ IP addresses, with Snort signatures, in his report to assist other researchers. This, he hopes, will allow them to find HTran errors that indicate latent APT activity and through that the destination C2 servers for the exfiltrated (exported) data.

The report concludes: “This particular hole in the operational security of a certain group of APT actors may soon be closed, however it is impossible for them to erase the evidence gathered before that time. It is our hope that every institution potentially impacted by APT activity will make haste to search out signs of this activity for themselves before the window of opportunity closes.”

Eric Doyle, ChannelBiz

Eric is a veteran British tech journalist, currently editing ChannelBiz for NetMediaEurope. With expertise in security, the channel, and Britain's startup culture, through his TechBritannia initiative

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

24 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago