Attackers will often want to disguise their location when compromising a target. To do this, they may use generic privacy tools such as TOR, or more specific tools to obfuscate their location.
HUC Packet Transmitter (HTran) is a proxy tool, used to intercept and redirect Transmission Control Protocol (TCP) connections from the local host to a remote host. This makes it possible to obfuscate an attacker's communications with victim networks. The tool has been freely available on the internet since at least 2009.
HTran facilitates TCP connections between the victim and a hop point controlled by an attacker. Malicious cyber actors can use this technique to redirect their packets through multiple compromised hosts running HTran, to gain greater access to hosts in a network.
The use of HTran has been regularly observed in compromises of both government and industry targets.
A broad range of cyber actors have been observed using HTran and other connection proxy tools to:
- Evade intrusion and detection systems on a network;
- Blend in with common traffic or leverage domain trust relationships to bypass security controls;
- Obfuscate or hide C2 infrastructure or communications; and
- Create peer-to-peer or meshed C2 infrastructure to evade detection and provide resilient connections to infrastructure.
HTran can run in several modes, each of which forwards traffic across a network by bridging two TCP sockets. They differ in terms of where the TCP sockets are initiated from, either locally or remotely. The three modes are:
- Server (listen) – Both TCP sockets initiated remotely;
- Client (slave) – Both TCP sockets initiated locally; and
- Proxy (tran) – One TCP socket initiated remotely, the other initiated locally, upon receipt of traffic from the first connection.
HTran can inject itself into running processes and install a rootkit to hide network connections from the host operating system. Using these features also creates Windows registry entries to ensure that HTran maintains persistent access to the victim network.
Recent investigations by our cyber security authorities have identified the use of HTran to maintain and obfuscate remote access to targeted environments.
In one incident, the attacker compromised externally facing web servers running outdated and vulnerable web applications. This access enabled the upload of web shells, which were then used to deploy other tools, including HTran.
HTran was installed into the ProgramData directory and other deployed tools were used to reconfigure the server to accept Remote Desktop Protocol (RDP) communications.
The actor issued a command to start HTran as a client, initiating a connection to a server located on the internet over port 80, which forwards RDP traffic from the local interface.
In this case, HTTP was chosen to blend in with other traffic that was expected to be seen originating from a web server to the internet. Other well-known ports used included:
- Port 53 - DNS;
- Port 443 - HTTP over TLS/SSL; and
- Port 3306 - MySQL
By using HTran in this way, the actor was able to use RDP for several months without being detected.
Detection and protection
Attackers need access to a machine to install and run HTran, so network defenders should apply security patches and use good access control to prevent attackers installing malicious applications.
In some of the samples analysed, the rootkit component of HTran only hides connection details when the proxy mode is used. When client mode is used, defenders can view details about the TCP connections being made.
HTran also includes a debugging condition that is useful for network defenders. In the event that a destination becomes unavailable, HTran generates an error message using the following format:
sprint(buffer, “[SERVER]connection to %s:%d error\r\n”, host, port2);
This error message is relayed to the connecting client in the clear. Defenders can monitor for this error message to potentially detect HTran instances active in their environments.