SecureWorks dissects tool used by RSA-hack malware

SecureWorks has dissected the HTran tool used by hackers to mask malicious web-traffic during cyber-espionage attacks, saying it is being used as an "evil TOR".

The Dell subsidiary published a technical analysis of HTran, which it describes as a "rudimentary connection bouncer", on Wednesday. It first noticed traces of the tool while conducting research into the family of malware behind the RSA security breach and the theft of SecureID authentication details.

TOR — The Onion Router — is used to conceal the flow of web traffic by bouncing it  through different servers, so that the traffic becomes anonimised. In the same way, HTran has been used by hackers to disguise the source or destination of internet traffic and make surveillance more difficult, according to SecureWorks.

"HTran is used for obfuscation of command-and-control traffic, and exfiltration [of data]," said Don Smith, vice president of engineering and technology at SecureWorks in Europe.

China connection

The code itself is a fairly simple and is almost 11 years old, according to Smith. The author appears to be 'Lion', a hacker linked to the Honker Union of China hacker group.

Occasionally we get a chance to peek behind the curtain, either by advanced analysis of the traffic and/or its contents, or due to simple programmer/ user error.

– Joe Stewart, SecureWorks

SecureWorks managed to trace the command-and-control servers for HTran back to three locations in China, the company said in a blog post on Wednesday. By analysing a flaw in a feedback mechanism on the tool, the researchers were able to pin down their location to the Beijing, Shanghai and Hong Kong areas.

Traffic shielded by HTran appeared to be flowing to servers in the US, Norway, Japan and Taiwan, but was actually redirected to China, SecureWorks said.

"Typically when hacking or malware traffic is reported on the internet, the location of the source IP [address] is not a reliable indicator of the true origin of the activity, due to the wide variety of programs designed to tunnel IP traffic through other computers," Joe Stewart, director of malware research at SecureWorks, said in the blog post.

"However, occasionally we get a chance to peek behind the curtain, either by advanced analysis of the traffic and/or its contents, or due to simple programmer/user error. This is one of those cases where we were lucky enough to observe a transient event that showed a deliberate attempt to hide the true origin of an [advanced persistent threat]," he added.

Advanced persistent threats

Advanced persistent threats (APTs) have no commonly agreed definition, but are generally attacks that try to access systems secretly and stay below the radar, as opposed to attacks aimed to cause disruption. One species of APT is a targeted email (spear-phishing) attack, where selected individuals are sent convincing messages containing malicious attachments or links to malicious websites. Once the individual is tricked into downloading malware, hackers then set about the task of secretly stealing information.

SecureWorks said that when HTran cannot connect to its command-and-control server, it sends an error message back to the infected host, and this message reveals the location of the server. The construction of the error string shows the host account and the attempt to connect to the command-and-control server's IP address.

In its unmasking of the Shady RAT campaign recently, McAfee suggested that nation states could be behind such massive attacks, and some have speculated that China is active in this area. However, Smith said that attribution of responsibility for the attacks was very difficult, even though SecureWorks has the ability to survey IP addresses for results.