Thursday, November 26, 2015
A remote
access Trojan used sparingly in targeted attacks has been found after living
under cover for three years, undetected by most security gear.
The RAT,
dubbed GlassRAT, was signed with a certificate belonging to a popular Chinese
software company with hundreds of millions of users worldwide. The RAT was used
to spy on Chinese nationals working in commercial outfits, and could have ties
with other malware campaigns dating back to 2012.
The malware was discovered earlier this year
by researchers at RSA Security during an incident response call. The victim, as
it turned out, was a Chinese national working at a large “multinational
corporation,” RSA said; the victim was not in China. It’s unknown how the
victim was infected, whether via a phishing campaign, drive-by download or some
other means, RSA said.
“There’s not
a whole lot of insight into that beside the specific activity on the
multinational company’s network where there was command and control traffic
from the device via command line,” said Kent Backman, the primary researcher on
the investigation. “There was an actor on the other side investigating the
network that the laptop was on. It seems like an intelligence-gathering tool;
that’s the most likely purpose for this RAT.”
While these
targets were primarily commercial for the purposes of industrial espionage,
some of the command and control infrastructure used by GlassRAT was also used
in previous campaigns against geopolitical targets, likely for some sort of
political espionage.
“We tend to
believe that because the targeting is different, going from geopolitical to
commercial, that we’re probably dealing with a different division of a much
larger hacking organization that showed a few of its cards with respect to
command and control, Backman said.
RSA said it
had to wait several months for a hit on a Yara signature it uploaded to
VirusTotal and other sources before it was able to conclude that the GlassRAT
infrastructure was also used to in attacks against the Philippine and Mongolian
governments but with different malware, Mirage (MirageRAT), magicFire and
PlugX.
“The temporal
overlap window in shared infrastructure was relatively short implying a
possible operational security slip by the actors behind GlassRAT if not
deliberate sharing of infrastructure,” RSA wrote in a report published today.
RSA would not
disclose the company whose certificate was stolen, but did say that it has subsequently
been revoked. The cert was used to sign a dropper for the malware, which
deletes itself after downloading the malware to the compromised machine. RSA
said that the unnamed Beijing-based software company develops one app in
particular that has more than 500 million users, and it’s that application’s
name that the same name used by the malware in the certificate dialog box
during installation.
“We know this
malware was extremely effective on the large multinational corporation,”
Backman said. “It was not detected for years by antivirus, and chances are had
if it were more widely targeted, the chances of escaping AV would have been
less.”
