GlassRAT Zero-Detection Trojan Targets Chinese Nationals

Share this…

A previously undetectable remote administration tool has been uncovered, dubbed “GlassRAT”

The zero-detection Trojan appears to have operated stealthily for three years, according to RSA, and evidence suggests it is being used as part of a very targeted campaign, focused on Chinese nationals in commercial organizations.

GlassRAT employs many of the telltale signs of good, at least very effective, malware design. Its dropper is signed using a compromised certificate from a trusted and well-known publisher. It deletes itself after successfully delivering its payload. Once installed, the malicious DLL file persists below the radar of endpoint antivirus.

Notably, GlassRAT’s command and control structure has exhibited brief overlap with CnC that was identified in campaigns associated with malware reported in 2012 that targeted government and military organizations in the Pacific Region.

GlassRAT Zero-Detection Trojan Targets Chinese Nationals

Specifically, GlassRAT connected to Mirage malware CnC hosting, which in turn is connected to Magicfire, PlugX and Mirage malware targeting the Philippine military and the Mongolian government.

The precise reason for the overlap is unclear, according to RSA.

“GlassRAT appears to have been compiled in late 2012—the same timeframe when reports of the related malware came to light,” the firm said in its report. “Frequently, threat actors will simply replace low-level tools such as RATs once they are detectable, without necessarily modifying tactics, procedures, infrastructure or even the targets themselves. The facts of this case, however, suggest otherwise. The targets are dissimilar both in quantity (many vs. few) and characteristics (geopolitical vs. commercial).”

 Further, the time period of the C2 overlap was relatively short, which suggests that it may have happened in error, in a brief breakdown in operational security. Or, perhaps subordinate departments of a much larger organization with shared infrastructure and developers run these campaigns.

Scant few other details are known, for now. But RSA researchers noted that detecting the infrastructure and resulting behavior of these tools is perhaps more important when preventive defenses consistently fail.

“It is also crucially important to recognize the potential origins of these attacks, when detected, to better understand risks to the organization,” RSA added.