VPN network tied to the activity of the Shell Crew group

Aug 4, 2015 15:11 GMT  ·  By

RSA security experts have published a report that analyzes a commercial VPN located in China that hijacks legitimate servers and adds them to its own network of 1,500+ servers.

Dubbed Terracotta VPN by the researchers, this company employs shady tactics into expanding its VPN offering by hacking into Windows-based servers, mainly located in China, the US and South Korea.

According to the RSA paper, most servers belong to hotels, universities, and various departments of the US government body.

Providing services for Chinese users at around $3 / €2.75 per month, Terracotta targets users with low-end resources, and this seems to be affecting its commercial capabilities.

While similar companies rent servers all around the world to provide a broad-ranging network, Terracotta, probably because of its lower income rate, has fallen onto employing shady tactics in cutting down its costs.

Windows servers are hacked because they are easier to set up as VPN nodes

RSA has observed how the company is adding new nodes to its Terracotta VPN network by hacking any unprotected Windows server it finds online.

As RSA explains, they first brute-force their way into the server's administrator account, from where they move on to disable any firewall they find, antivirus services, and enable Telnet communications.

From here, they move on to creating their own Windows account and installing a version of Gh0st RAT (Remote Administration Tool).

Because Windows servers can be set up as VPN nodes in fewer steps, and with lesser complications than Linux or Mac systems, they have been the main target of Terracotta's campaign.

Terracotta VPNs used in illicit activities

As a result of the company's illegal hacking activities, Terracotta has been willing to rent its network to APT (Advance Persistent Threat) groups in the past.

RSA claims Terracotta's VPN nodes have been spotted in the recent activity of Chinese hacking group Shell Crew (also known under the name of Deep Panda).

Since the company mixes malicious traffic with the one produced by regular users, APT groups gain an extra level of obfuscation for their activities.

While RSA experts do say that "there is no evidence that the Terracotta network and its operators are affiliated in anyway with the APT actors," their research does point out that they illegally add nodes to their networks after hacking third-party servers.

Geographic concentration of Terracotta VPN nodes
Geographic concentration of Terracotta VPN nodes

The Terracotta VPN network (3 Images)

How the Terracotta VPN works
Terracotta VPN node enlistmentGeographic concentration of Terracotta VPN nodes
Open gallery