Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

GlassRAT Malware Stayed Under Radar For Years: RSA

A remote access Trojan (RAT) that managed to stay under the radar for several years has been used by malicious actors to target Chinese nationals associated with multinational corporations.

A remote access Trojan (RAT) that managed to stay under the radar for several years has been used by malicious actors to target Chinese nationals associated with multinational corporations.

According to a report published by RSA on Monday, the threat, dubbed “GlassRAT,” managed to avoid detection by most antivirus products because it was used only in highly targeted attacks.

Researchers believe the Trojan, which has been named a “zero detection” threat, has been around since at least September 2012, but a sample was only uploaded to VirusTotal on December 2014. Another important factor that helped the threat maintain a low profile is the fact that its dropper, which had been signed with a legitimate certificate stolen from a popular Chinese software developer, was only uploaded to public malware databases in September 2015. RSA said the sample was uploaded from a Chinese IP address.

GlassRAT has typical RAT capabilities, including reverse shell functionality that provides attackers access to the infected device. RSA has determined that the malware has been used in a highly targeted campaign aimed at Chinese nationals and other Chinese speakers associated with large multinational corporations in China and other countries since at least early 2013.

RSA first discovered the threat on the computer of a Chinese national in February 2015 while analyzing an incident at a multinational company based in the United States.

One noteworthy aspect is that some pieces of GlassRAT’s code are similar to Taidoor and a possibly related malware family called Taleret. Taidoor first appeared in 2008 and it has been mainly used in cyber espionage campaigns targeting government agencies, corporations and think tanks, particularly ones with an interest in Taiwan.

In addition to malware code similarities, RSA also discovered that GlassRAT operations briefly overlapped with other major campaigns in terms of command and control (C&C) infrastructure. Links have been found to the C&C domains used in cyber espionage campaigns leveraging malware known as Mirage, MagicFire and PlugX.

These geopolitical operations were mainly aimed at organizations in the Asia-Pacific region, including the Philippine military and the Mongolian government.

Advertisement. Scroll to continue reading.

However, RSA pointed out that the profile and volume of targeted entities, along with the fact that the time period of the C&C overlap was relatively short, suggests that it might have been a “security slip” by the operators of GlassRAT. On the other hand, experts believe it’s also possible that “subordinate departments of a much larger organization with shared infrastructure and developers run these campaigns.”

Different APT actors using parts of the same C&C infrastructure is not unheard of. The Hellsing group, whose activities were detailed by Kaspersky Lab in April, leveraged infrastructure also used by Mirage, PlayfullDragon (Gref), and Cycldek (Goblin Panda).

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.