RSA Warns Of Zero Detection Trojan — Went Undetected For More Than 3yrs., While Stealthily Targeting Victims Security Firm Says
It has taken me a few days to get around to the articles I wanted to write because of taking some time off to play golf over Thanksgiving. One of those articles was on the November 24, 2015 Dark Reading website by Jai Vijayan. He discussed the GlassRAT, “which remained undetected for more than three years, while stealthily targeting its victims. It’s apparently not just zero-day vulnerabilities that organizations need to worry about these days, but also zero detection malware threats,” Mr. Vijayan wrote.
“For the second time in recent weeks, a security vendor has issued a warning about a malware tool that appears to have evaded detection for multiple years — while stealthily going about targeting victims. The malware called GlassRAT, appears to have been released in 2012,” Mr. Vijayan wrote. “The limited telemetry and anecdotal reports that are available on it — indicate GlassRAT has been used to target Chinese nationals at large multinational companies,” RSA Research said in a release last week.
“The “zero-detection malware,” which is signed with a digital certificate apparently misappropriated from a Chinese software developer, is ‘transparent’ to most antivirus tools. RSA researchers said in the report, it is detectable only via network forensics and specialized tools that are capable of detecting suspicious activity on endpoint systems,” they said.
“GlassRAT appears to have operated stealthily for 3 years [undetected] in some environments,” the paper noted.
“The RSA researchers described GlassRAT as a well-designed remote access Trojan (RAT) that is being used in a highly targeted manner. The dropper used to deliver the payload is digitally signed and deletes itself from the system after the task is complete. Once installed, the malicious file itself remains below the radar of endpoint anti-malware [detection] tools,” Mr. Vijayan wrote. “The malware provides reverse shell functionality on an infected system — allowing the threat actors behind GlassRAT to directly connect to it from a remote location. The malware is designed to steal the data, transfer files and relay system information to the attackers.”
“What makes GlassRAT notable, is not what it is; but perhaps, rather where it came from, who is using it, and for what purpose,” the researchers said. “Available information on GlassRAT suggests it is connected to, or at least has used the same command and control infrastructure that other malware campaigns in the past have used to target organizations of strategic and geopolitical significance,” RSA said.
“Two domains previously associated with GlassRAT for instance, were previously associated with the Mirage, and PlugX campaigns that targeted military and government organizations in Mongolia and the Philippines. The overlap window is fairly small, suggesting that the threat actors behind GlassRAT may have made an operational slip in using the same infrastructure,” Mr. Vijayan wrote.
“The threat represented by the malware GlassRAT should not be underestimated, because there may be many more undetected, or non-detectable samples like it in the world,” RSA warned. “It is also critically important to recognize the potential origins of these attacks, when detected, to better understand risks to the organization,” RSA added.
“GlassRAT marks the second time this month when a security vendor has warned about malware that remained undetected for a lengthy period. Earlier this month,” Mr. Vijayan notes, “Trustwave issued an alert on Cherry Picker, a point-of-sale (PoS) malware tool — that like GlassRAT — remained below the radar for more than four years before being discovered. Trustwave pointed to Cherry Picker’s use of encryption, modified configuration files, and sophisticated obfuscation techniques as reasons why the malware remained undetected for so long. According to researchers at RSA, no malware they have encountered goes quite as far as Cherry Picker does in cleaning up after itself — after infecting a system.”
As I have often written on this blog, the cyber threat is constantly evolving; and, cyber thieves are continuing to find clever ways to evade detection; and, better at covering their digital tracks — so that you may not know they were even there. Remember, the absence of evidence of a breach or compromise does not mean evidence of absence as my former boss Secretary Rumsfeld liked to say. Alas, the best cyber thieves and spies — haven’t been caught yet. V/R, RCP