According to Joe Stewart, Dell SecureWork's director of malware research, whilst his team have been investigating APTs for several months, he says it is important to define the term as used in this analysis. APTs, he says, are best defined as "cyber-espionage activity targeted at government, industry or activists."
During his research, Stewart says that he and his team discovered that the hackers using these APT malware families sometimes use a common tool – HTran - in order to disguise the location of their command-and-control (C&C) servers.
HTran, he explained, is a connection bouncer, operating in a similar manner to a simplified reverse proxy server.
Hackers, he adds, can install an HTran listener on a host anywhere on the internet - most often on hacked third-party servers) - and then bounce incoming connections back to their real C&C server.
The HTran – HUC Packet Transmit Tool - program, says Stewart, was authored by "Lion", a well-known Chinese hacker and reported founder of the Honker Union of China (HUC), a patriotic hacking group in the People's Republic of China.
Stewart's report says that what led to the discovery of the common use of HTran was an error message that the hacker utility transmits to connecting clients whenever the hidden back end C&C server is unreachable.
By creating a system to establish regular connections to a list of over 1,000 IP addresses known by Dell SecureWorks' research team to be associated with APT activity bouncers, Stewart says he was able to uncover several HTran installations that eventually reported error messages – so revealing the IP address of the true C&C server controllers.
Whilst all of the found HTran installations were on computers in the US, Europe, Japan and Taiwan, Stewart explained that all of the hidden C&C controllers they redirected traffic to were located on just a few networks in the Peoples Republic of China.
According to the report, instances of HTran on multiple hosts could theoretically be chained together in order to add extra layers of obfuscation.
However, in case of the final endpoint C&C server being unavailable for any reason, the report notes that the last link in the HTran chain will still pass its connection failure message up the chain, rendering all of the other layers of obfuscation useless.
This tiny bit of error debugging code left in by the author, says the study, can be quite useful if one wants to track HTran-bounced hacking activity to its source.
Stewart and his team's analysis of the HTran utility has revealed that every hidden IP address observed in the HTran error messages was found to be located on just a few different networks in the People's Republic of China (PRC).
In almost every case, says the team's report, the observable C&C server is in a different country, most likely the same country in which the victim institution is located.