RSA Research has unearthed another Remote Access Tool/Trojan (RAT) used in cyber espionage campaigns.
Dubbed GlassRAT, it has the usual capabilities of this type of malware: information theft, file exfiltration, downloading of additional (malicious) files, creating processes on the target computer, etc.
But what makes this RAT special is the fact that has been in use for the last three years and, until very recently, was not detected by AV software.
“RSA Research was first alerted to some specific zero detection malware by the RSA Incident Response services team. Also notable is that the first observed sample of this zero detection malware may have been deployed since September of 2012, if the compile time is any indicator,” researcher Kent Backman shared.
The malware is signed with a certificate apparently stolen from a Beijing-based software developer, whose popular software is used by over half a billion users worldwide.
“GlassRat employs many of the telltale signs of good, at least very effective, malware design,” Backman noted. “Its dropper is signed using a compromised certificate from a trusted and well-known publisher [a Beijing-based software developer, whose popular software is used by over half a billion users worldwide]. It deletes itself after successfully delivering its payload. Once installed, the malicious DLL file persists below the radar of endpoint antivirus.”
This latest campaign employing the malware seems to target Chinese nationals associated with large multinational corporations in and outside of China. The malware’s C&C infrastructure can be tied to previous campaigns targeting (with other malware) the Philippines military and the Mongolian government.
Evidence suggests that the malware’s dropper component is served to victims as an Adobe Flash Player update. Both Adobe and Symantec have now been given samples of the malware because they were indirectly affected (Symantec via the stolen Verisign certificate), and is likely that the malware will soon be detected by an ever increasing number of AV software.
More information about the malware and how to spot it can be found in this paper.