In-brief: RSA Security said a newly discovered Trojan horse program may have been lurking for three years on corporate networks. Chinese nationals were the apparent target.
RSA researchers issued a report today about a remote access trojan (or RAT) program dubbed “GlassRAT” that they are linking to sophisticated and targeted attacks on “Chinese nationals associated with large multinational corporations,” according to an RSA report.(PDF)
The hacking tool, designed to give remote adversaries access to- and control over compromised computers on a target network. Though discovered by RSA in February of this year, GlassRAT was first created in 2012 and “appears to have operated, stealthily, for nearly 3 years in some environments,” in part with the help of a legitimate certificate from a prominent software publisher and signed by Symantec and Verisign, RSA reports.
The malware and associated files are similar to malicious software used in other sophisticated attacks, including a dropper program that is signed using a compromised certificate from what RSA described as “a trusted and well-known software publisher” with “500 million users.”
The software is described as a “simple but capable RAT” that packs reverse shell features that allow attackers to remotely control infected computers as well as transfer files and list active processes. The dropper program associated with the file poses as the Adobe Flash player, and was named “Flash.exe” when it was first detected.
[Read more Security Ledger coverage of malware here.]
It resides on infected systems as a malicious DLL (dynamic link library) file that evades detection by endpoint antivirus programs. The company discovered it on the PC of a Chinese national working for a large, U.S. multi-national corporation. RSA had been investigating suspicious network traffic on the enterprise network.
The command and control structure that the malicious software uses has been observed before in connection with malware campaigns in 2012 that targeted government and military organizations in the Pacific Region. However, the malware and targets of the GlassRAT campaign are quite different, RSA noted. RSA says telemetry data and anecdotal reports suggest that GlassRAT may principally be targeting Chinese nationals or other Chinese speakers, in China and elsewhere, since at least early 2013.
The reason for the overlap is unclear, though it suggests that GlassRAT was created in a similar timeframe as he earlier campaign. The overlap may indicate that the attackers merely swapped one low-level hacking tool for another or – possibly – that two departments of the same organization accidentally shared infrastructure for a short period, merging two separate campaigns, according to a blog post by RSA’s Peter Beardmore.
RSA said it has discovered links between GlassRAT and earlier malware families including Mirage, Magicfire and PlugX. Those applications have been linked to targeted campaigns against the Philippine military and the Mongolian government.