Today RSA is reporting GlassRAT, a previously undetectable Remote Access Tool (RAT) which was discovered by the RSA Incident Response Team and investigated by RSA Research during an engagement with a multi-national enterprise. While the malware was not detectable by endpoint antivirus products, RSA Security Analytics was able to identify and alert on its network traffic, and RSA ECAT subsequently identified the malware.
Evidence suggests that the tool is being used as part of a very targeted campaign, focused on Chinese nationals in commercial organizations.
GlassRAT’s command and control structure has exhibited brief overlap with C2 that was identified in campaigns associated with malware originally reported in 2012 that targeted government and military organizations in the Pacific Region.
The precise reason for the overlap is unclear. It is notable that GlassRAT appears to have been compiled in late 2012 — the same timeframe when reports of the related malware came to light. Frequently, threat actors will simply replace low-level tools such as RATs once they are detectable, without necessarily modifying tactics, procedures, infrastructure, or even the targets themselves. The facts of this case, however, suggest otherwise. The targets are dissimilar both in quantity (many vs. few) and characteristics (geopolitical vs. commercial). Further, the time period of the C2 overlap was relatively short, which suggests that it may have happened in error, a brief breakdown in operational security. Perhaps subordinate departments of a much larger organization with shared infrastructure and developers run these campaigns.
Detection and response tools such as RSA Security Analytics and RSA ECAT are extremely valuable in circumstances where a hackers’ tools aren’t easily detectable, but also when indicators of compromise (in this case domains and IP addresses) of threat actors potentially targeting your organization are available.
The attached report, written by Kent Backman of RSA Research, details and analyzes GlassRAT; its C2 and overlap with previous campaigns. Annexes include details on the C2 infrastructure, a graphical depiction of the overlapping C2, malware hashes, and a GlassRAT Yara signature.
Read the full report here: Peering into GlassRAT