A remote access Trojan used sparingly in targeted attacks has been found after living under cover for three years, undetected by most security gear.
The RAT, dubbed GlassRAT, was signed with a certificate belonging to a popular Chinese software company with hundreds of millions of users worldwide. The RAT was used to spy on Chinese nationals working in commercial outfits, and could have ties with other malware campaigns dating back to 2012.
The malware was discovered earlier this year by researchers at RSA Security during an incident response call. The victim, as it turned out, was a Chinese national working at a large “multinational corporation,” RSA said; the victim was not in China. It’s unknown how the victim was infected, whether via a phishing campaign, drive-by download or some other means, RSA said.
“There’s not a whole lot of insight into that beside the specific activity on the multinational company’s network where there was command and control traffic from the device via command line,” said Kent Backman, the primary researcher on the investigation. “There was an actor on the other side investigating the network that the laptop was on. It seems like an intelligence-gathering tool; that’s the most likely purpose for this RAT.”
While these targets were primarily commercial for the purposes of industrial espionage, some of the command and control infrastructure used by GlassRAT was also used in previous campaigns against geopolitical targets, likely for some sort of political espionage.
“We tend to believe that because the targeting is different, going from geopolitical to commercial, that we’re probably dealing with a different division of a much larger hacking organization that showed a few of its cards with respect to command and control, Backman said.
RSA said it had to wait several months for a hit on a Yara signature it uploaded to VirusTotal and other sources before it was able to conclude that the GlassRAT infrastructure was also used to in attacks against the Philippine and Mongolian governments but with different malware, Mirage (MirageRAT), magicFire and PlugX.
“The temporal overlap window in shared infrastructure was relatively short implying a possible operational security slip by the actors behind GlassRAT if not deliberate sharing of infrastructure,” RSA wrote in a report published today.
RSA would not disclose the company whose certificate was stolen, but did say that it has subsequently been revoked. The cert was used to sign a dropper for the malware, which deletes itself after downloading the malware to the compromised machine. RSA said that the unnamed Beijing-based software company develops one app in particular that has more than 500 million users, and it’s that application’s name that the same name used by the malware in the certificate dialog box during installation.
“We know this malware was extremely effective on the large multinational corporation,” Backman said. “It was not detected for years by antivirus, and chances are had if it were more widely targeted, the chances of escaping AV would have been less.”