Malware Behind RSA Breach, Other APTs Linked to Chinese Networks

By CIOinsight  |  Posted 08-11-2011 Print Email
A debugger tool mistakenly left in a traffic bounce tool led Dell SecureWorks researchers to identify several networks in China used by attackers behind APTs.

In a project to classify more than 60 custom malware families used in advanced persistent threat attacks, a security researcher discovered several of them originated from command and control servers based in "a few networks" in China, namely in Beijing and Shanghai.

The attack on RSA Security earlier this yea, when attackers stole information relating to the SecurID two-factor authentication technology, was also traced back to two APT malware families and tied to a network in Shanghai, Joe Stewart, director of malware research at the Dell SecureWorks Counter Threat unit, told eWEEK.

Stewart released his findings during the Black Hat conference on Aug. 3. He defined APTs as "cyber-espionage activity targeted at government, industry or activists."

While the perpetrators used 60 different types of customized malware to launch their attacks, each cyber-gang had a certain set of tools that they preferred -- sort of as their signature, Stewart said. Based on the kind of malware being used in an attack, researchers were able to classify similar ones to get an idea of various gangs in operation.

Dell SecureWorks analyzed the code extracted from malicious Excel spreadsheets that RSA had provided to the United States Computer Emergency Response Team, or US-CERT, after the breach and discovered that two of the components were based on a commonly used Chinese hacker tool, Stewart said.

HTran, a "rudimentary" bouncer tool written by a well-known Chinese hacker 10 years ago, was being used by various attackers to redirect traffic from infected computers to command and control servers. A piece of code used for debugging purposes in HTran would return an error message to the infected computer if the C&C server was unavailable, Stewart said. That error message revealed the final IP address of the server.



 

Submit a Comment

Loading Comments...