1 / 20

HTran and the Advanced Persistent Threat

HTran and the Advanced Persistent Threat. Joe Stewart Director of Malware Research Dell SecureWorks. APT Definition. Cyber-espionage activity targeting government, industry or activists. APT Attack Targets. Government Military Defense Contractors Security Companies Software Vendors

blue
Download Presentation

HTran and the Advanced Persistent Threat

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HTran and the Advanced Persistent Threat Joe Stewart Director of Malware Research Dell SecureWorks Confidential

  2. APT Definition Cyber-espionage activity targeting government, industry or activists. Confidential

  3. APT Attack Targets • Government • Military • Defense Contractors • Security Companies • Software Vendors • Webmail Providers • Activist Orgs • Manufacturers • Global Policy Orgs • Think-Tanks Confidential

  4. APT Attack Tools • Spear-Phishing • Zero-Day Exploits • Custom Backdoors • Low AV detection • Custom network protocols/encryption • Custom Toolsets • Network Discovery • SQL/SMB bruteforce • Remote administration Confidential

  5. Dell SecureWorks APT Tracking Stats • 80+ Malware families • 8500+ C2 hostnames • 1300+ Domains • 55% Registered by APT actors • 35% Dynamic DNS names • 10% Compromised domains • 1500+ active IPs • 1000+ IPS countermeasures deployed Confidential

  6. Shady RAT Confidential

  7. Shady RAT Report Breakdown • McAfee found public log analysis pages on an APT control server • Processed logs only list IPs of 30 “top-talkers” per month • 666 unique IP addresses • McAfee identified 72 victims across a broad array of sectors: • Government • International • National • State • County • Military/Military contractors • Construction • Electronics • Computer Security • Communications • Energy • News Media • Agriculture • Trade Groups • CTU correlated McAfee’s report with the log data • Independently derived complete list of victim names • Determined Shady RAT to be part of activity by the “Comment Crew” Confidential

  8. Shady RAT – CTU Analysis • Dell SecureWorks CTU identified 15 additional victims from Shady RAT logs: • U.S. Government commission • Three additional defense contractors • Air Force of Asian nation • Financial news service • Data backup company • Trade group • Global policy advocate • Scientific supply company • Satellite communications company • Biomedical institute • University • Healthcare benefits management firm • Seminary School Confidential

  9. Comment Crew Malware • First stage - small downloader trojans • Designed to periodically request a web page with additional instructions (sleep, download second-stage payload) • Typical stage-1 phone-home request (User-Agent/URI path varies from variant to variant): GET /comp/sem/resources.htm HTTP/1.1 User-Agent: HTTP Mozilla/5.0(compatible+MSIE) Host: www.cometoway.org Cache-Control: no-cache Confidential

  10. Comment Crew Response HTTP/1.1 200 OK Date: Fri, 06 May 2011 15:56:50 GMT Server: Apache Last-Modified: Sat, 26 Mar 2011 02:23:09 GMT ETag: "a301f7-19ed-49f596435dd40" Accept-Ranges: bytes Content-Length: 6637 Content-Type: text/html <!-- czoyNA== --> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <html> <head> <title>Advanced Insurance Management - Information and Resources for Workers' Comp</title> <style type="text/css"> Confidential

  11. Shady RAT and the APT Landscape • Shady RAT is the tip of an iceberg • Same actor group (Comment Crew) has at least a dozen variants that behave similarly to Shady RAT • Many more second-stage backdoor trojans • Each trojan variant has several known control servers • CTU has tied over 100 different C2s to specific Comment Crew malware samples • Many more hostnames identified as belonging to Comment Crew domains but malware samples not yet found • Comment Crew is one of two major APT actor groups, with several minor actor groups also in play • Shady RAT data likely represents less than 1% of the actual APT activity going on in the world Confidential

  12. HTran Confidential

  13. HTran • During classification of APT malware used in RSA attack, interesting pattern identified in network traffic from APT C2 server: • Error message, although truncated, appeared to identify hidden backend destination of C2 traffic • Analysis of error message formatting led to source code for “HTran”, or “HUC Packet Transmit Tool” • HUC = Honker Union of China • HTran is a simple packet bouncer/relay, used to disguise the location of the real C2 server of any malware using TCP communication • In cases where connectivity is lost between HTran and the backend server, the connection error message will be sent to the connecting client [SERVER]connection to funn Confidential

  14. HTran Analysis • Since HTran will in certain cases betray the true location of the hacker, knowing the error message pattern gives us two advantages: • Identification of latent APT activity on the network • Attribution of origin of APT activity • Snort rules to detect HTran on the wire: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HTran Connection Redirect Failure Message"; flow:established,from_server; dsize:<80; content:"|5b|SERVER|5d|connection|20|to|20|"; depth:22; reference:url,www.secureworks.com/research/threats/htran/; sid:1111111111;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"HTran Connection Redirect Failure Message (Unicode)"; flow:established,from_server; dsize:<160; content:"|5b00|S|00|E|00|R|00|V|00|E|00|R|005d00|c|00|o|00|n|00|n|00|e|00|c|00|t|00|i|00|o|00|n|002000|t|00|o|002000|"; depth:44; reference:url,www.secureworks.com/research/threats/htran/; sid:1111111112;) Confidential

  15. HTran Attribution Project • Using the list of APT-related hostnames, we resolve all IPs and connect to each one every 10 minutes • Wait up to 30 seconds for any HTran error messages which might occur • This survey of APT IPs has yielded plenty of results: [Thu Jul 28 03:47:59 2011] : [SERVER]connection to 112.64.212.108:8000 error [Thu Jul 21 01:02:26 2011] : [SERVER]connection to 112.64.214.174:443 error [Wed Jul 27 01:50:47 2011] : [SERVER]connection to 58.247.246.171:443 error [Wed Jul 27 14:10:15 2011] : [SERVER]connection to 112.65.84.61:443 error [Thu Jul 28 02:40:02 2011] : [SERVER]connection to 58.247.242.225:443 error [Thu Jul 28 03:06:30 2011] : [SERVER]connection to 58.247.242.225:443 error [Thu Jul 28 09:38:22 2011] : [SERVER]connection to 58.247.244.177:443 error [Wed Jul 27 14:50:51 2011] : [SERVER]connection to 112.64.215.67:1443 error Confidential

  16. Confidential

  17. HTran Attribution Project • The survey still continues to yield results: [Wed Sep 21 00:56:58 2011] : [SERVER]connection to 58.247.25.171:443 error [Wed Sep 21 03:28:39 2011] : [SERVER]connection to 58.247.25.171:80 error [Wed Sep 21 06:32:16 2011] : [SERVER]connection to 121.229.200.223:10009 err [Wed Sep 21 07:47:10 2011] : [SERVER]connection to 112.65.85.93:443 error [Wed Sep 21 09:00:02 2011] : [SERVER]connection to 112.64.213.222:80 error [Wed Sep 21 11:28:24 2011] : [SERVER]connection to 112.64.113.17:443 error [Thu Sep 22 01:27:48 2011] : [SERVER]connection to 58.247.26.203:80 error [Thu Sep 22 09:13:39 2011] : [SERVER]connection to 202.85.61.150:6654 error [Thu Sep 22 02:45:17 2011] : [SERVER]connection to 58.247.26.203:443 error [Fri Sep 23 00:36:35 2011] : [SERVER]connection to 58.247.247.169:443 error [Fri Sep 23 04:47:20 2011] : [SERVER]connection to 114.92.20.60:80 error [Fri Sep 23 05:57:29 2011] : [SERVER]connection to 114.92.20.60:443 error [Fri Sep 23 08:33:42 2011] : [SERVER]connection to 121.229.200.8:10009 error [Sat Sep 24 06:53:31 2011] : [SERVER]connection to 180.171.193.13:443 error [Sat Sep 24 18:10:15 2011] : [SERVER]connection to 114.92.28.19:80 error [Sat Sep 24 03:13:10 2011] : [SERVER]connection to 180.171.193.13:53 error [Mon Sep 26 01:40:50 2011] : [SERVER]connection to 58.247.24.252:443 error Confidential

  18. HTran Attribution Project Findings • Almost all of the HTran errors point to the true C2 being located on just a few networks in mainland China • Most of the activity is centered around Beijing and Shanghai • The Comment Crew uses HTran (so does the other major APT actor group) • Comment Crew HTran-hidden C2s are always found pointing to the Shanghai area • This kind of attribution is one step beyond regular IP-based attribution, but… • It still is only the “where”, not the “who” • It is nearly impossible to show a trail of digital evidence to state-sponsored actors (through legal means) • But at this point, is there anyone left who doesn’t believe this is state-sponsored activity? Confidential

  19. APT Exfiltration Defense-in-Depth • Strong FW egress policy • Force HTTP/FTP traffic through proxy • Force HTTPS traffic through SSL-terminating proxy • DNS log monitoring • IPS (only with APT-trojan-aware ruleset) • HTTP protocol anomaly detection • Network whitelisting • Process whitelisting Confidential

  20. Q&A • Send any suspected APT malware samples you encounter to apt@counterthreatunit.com for classification • Thank you! Confidential

More Related