Joe Stewart, director of malware research for Dell SecureWorks' counter threat unit research team, who has been studying some 60 different families of malware used by APT attackers in their cyberespionage attacks, recently discovered a pattern in which many of these attackers use this tool, written 10 years ago by a Chinese hacker, to hide their whereabouts. Stewart, who published research on HTran use today in APT malware, said the Operation Shady RAT attackers are among those who use the tool for camouflaging purposes.
McAfee Wednesday unmasked an APT-type attack campaign that has been ongoing worldwide for five years that has stolen intellectual property from 70 government agencies, international corporations, nonprofits, and others in 14 countries. McAfee McAfee gathered data (PDF) on the attacks after accessing one C&C server, collecting logs that date back to 2006.
It also turns out that a recently discovered targeted attack against Defense contractors studied by researchers at Invincea and ThreatGrid that used a phishing email with a link to a rigged spreadsheet containing a real list of high-level defense industry executives who attended a recent Intelligence Advanced Research Projects Activity (IARPA) event was also part of Operation Shady RAT.
The embedded URL, which used a legitimate-looking domain, provided a ZIP archive to the attendee roster, complete with names of directors, presidents, and CEOs at major defense and intelligence companies. The XLS-looking file is actually an executable that extracts another custom program that's an HTTP client that beacons out to the command and control server, according to Anup Ghosh, founder and CEO of Invincea.
The executable file was a remote C&C Trojan hosted on a website that gives the attackers full control of the victim's machine and Internet settings in the registry, and is able to update the root certificate lists that could be used for SSL man-in-the-middle attacks.
Meanwhile, SecureWorks' Stewart first found the HTran connection in APT malware when studying traffic patterns of the malware. "I found one error message return from a controller ... telling me 'I'm not the controller, here's where it is.' Why would you have a nice error message that says here's the destination of the actual C&C on a silver platter?" he said.
The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)