HTRAN
HTRAN is a port-forwarding and TCP proxy/relay utility used to redirect connections between networks and obscure an operator’s location or command-and-control infrastructure by rerouting traffic through intermediary systems. The content describes it as a malicious communication relay, connection bouncer, and utility for redirecting traffic that can effectively act as a SOCKS proxy server. It creates TCP sessions and tunnels other port communications, including passing traffic from disallowed ports through whitelisted ports. The source code is publicly available on GitHub, and the tool was reportedly released in 2003 by Honker Union members bkbll and Lin Yong. The content also states HTRAN can inject into running processes. HTRAN has been used by multiple Chinese threat actors and operations, including GALLIUM, APT12, Lotus Blossom, and Shady RAT; GALLIUM specifically used a modified version to redirect connections between networks, and Lotus Blossom used an HTran-derived modified relay named "mtrain V1.01." In one ASEC-reported intrusion targeting poorly managed Windows IIS web servers in South Korea, attackers installed HTran through the w3wp.exe IIS worker process after deploying a Meterpreter backdoor; ASEC noted it is commonly used by attackers to enable remote communication to services such as RDP. High-confidence behavioral indicators from the content are its use for TCP socket proxying/port forwarding, network traffic redirection through intermediate hops, possible process injection, and visibility of tunnel-related connections in Windows Security Event ID 5156 telemetry.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
GALLIUM used a modified version of HTRAN to redirect connections between networks.
…released “HTRAN,” a tool designed to obscure an attacker’s location by rerouting internet traffic through intermediary computers… | Other tools developed within former red hacker circles include HTRAN... Designed to obscure an attacker’s location by rerouting internet traffic through intermediary computers, HTRAN has been used in operations such as Shady RAT in 2011 and by Chinese threat groups including GALLIUM and APT12.
...other tools signed with this certificate, such as HTRan, a connection bouncer...
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniquePersistence
2 techniquesしたがって、攻撃者は攻撃対象の Web サーバーの資格情報がなくても、攻撃者アカウントを作成したことにより、外部から容易に Web サーバーにアクセスができるようになる。
Meterpreter バックドア、HTran ポートフォワーディングツールをインストールしたあと、攻撃者は攻撃対象のシステムに対し、持続性の維持および拠点確保のために net コマンドで攻撃者アカウントを作成した。... 2024.04.09 05:04:51 net user kr$ test123!@# /add
Privilege Escalation
1 techniqueStealth
2 techniques"Sandworm Team used heavily obfuscated code with Industroyer in its Windows Notepad backdoor." / "Action RAT's commands, strings, and domains can be Base64 encoded within the payload." / "APT41 used VMProtected binaries in multiple intrusions."
Lateral Movement
1 technique然后其他客户端(例如本例子中的3389远程桌面客户端)连接 123.123.123.123:2017 ,就等同于连接到了内网主机的 192.168.1.2:3389 上。
Command and Control
5 techniquesMeterpreter バックドアのインストール後、攻撃者はさらに w3wp.exe プロセスを通じて HTran ユーティリティをインストールした。HTran は Github にソースコードが公開されているポートフォワーディングツールである。
.001 Internal Proxy Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment.
.002 External Proxy Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure.
APT28 used other victims as proxies to relay command traffic, for instance using a compromised Georgian military email server as a hop point to NATO victims.
Exfiltration
1 techniqueADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
24 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A well-known proxy/port relay tool referenced as the upstream basis for the actor’s modified 'mtrain' relay utility.
HTran is a port-forwarding utility installed after Meterpreter to relay traffic, commonly for remote access such as forwarding RDP connections.
Proxy/backdoor utility capable of injecting into running processes.
Connection-bouncer/proxy utility mentioned as an additional tool potentially used by the operators and signed with the same stolen certificate.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.