A remote access Trojan (RAT) that managed to stay under the radar for several years has been used by malicious actors to target Chinese nationals associated with multinational corporations.
According to a report published by RSA on Monday, the threat, dubbed “GlassRAT,” managed to avoid detection by most antivirus products because it was used only in highly targeted attacks.
Researchers believe the Trojan, which has been named a “zero detection” threat, has been around since at least September 2012, but a sample was only uploaded to VirusTotal on December 2014. Another important factor that helped the threat maintain a low profile is the fact that its dropper, which had been signed with a legitimate certificate stolen from a popular Chinese software developer, was only uploaded to public malware databases in September 2015. RSA said the sample was uploaded from a Chinese IP address.
GlassRAT has typical RAT capabilities, including reverse shell functionality that provides attackers access to the infected device. RSA has determined that the malware has been used in a highly targeted campaign aimed at Chinese nationals and other Chinese speakers associated with large multinational corporations in China and other countries since at least early 2013.
RSA first discovered the threat on the computer of a Chinese national in February 2015 while analyzing an incident at a multinational company based in the United States.
One noteworthy aspect is that some pieces of GlassRAT’s code are similar to Taidoor and a possibly related malware family called Taleret. Taidoor first appeared in 2008 and it has been mainly used in cyber espionage campaigns targeting government agencies, corporations and think tanks, particularly ones with an interest in Taiwan.
In addition to malware code similarities, RSA also discovered that GlassRAT operations briefly overlapped with other major campaigns in terms of command and control (C&C) infrastructure. Links have been found to the C&C domains used in cyber espionage campaigns leveraging malware known as Mirage, MagicFire and PlugX.
These geopolitical operations were mainly aimed at organizations in the Asia-Pacific region, including the Philippine military and the Mongolian government.
However, RSA pointed out that the profile and volume of targeted entities, along with the fact that the time period of the C&C overlap was relatively short, suggests that it might have been a “security slip” by the operators of GlassRAT. On the other hand, experts believe it’s also possible that “subordinate departments of a much larger organization with shared infrastructure and developers run these campaigns.”
Different APT actors using parts of the same C&C infrastructure is not unheard of. The Hellsing group, whose activities were detailed by Kaspersky Lab in April, leveraged infrastructure also used by Mirage, PlayfullDragon (Gref), and Cycldek (Goblin Panda).