I've read about a newly discovered remote access Trojan called "GlassRAT" that was previously undetected for an...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
estimated three years and was part of a campaign targeting Chinese nationals in commercial businesses. How did this remote access Trojan go undetected for so long?
Every time a malware author creates an entirely new piece of malware or remote access Trojan, he has made a new "zero detection" piece of malware. RSA Research published a report on a new remote administration tool observed by RSA Incident Response. The GlassRAT Trojan appears to have gone undetected for several years and is primarily targeting Chinese nationals associated with large multinational corporations.
The GlassRAT malware was signed using a legitimate software signing certificate and the certificate owner appears to have software used by millions of users. The dropper that is used for installing the malware deletes itself once the malware is installed, which reduces the chance for the malware to get detected. It is reported to only persist as a DLL file on the system. The malware sets itself to run during user login using the Run registry key and at system time by setting up a Windows service named "RasAuto." The common name of the DLL and the service name might have helped the malware not stick out to an end user looking at his computer for signs of malware. The command-and-control (C&C) IP addresses used IPs shared by other malware, but not for a significant amount of time, which could have also helped not bring attention to GlassRAT. The malware also didn't use encryption for the C&C communications, so an IDS could have detected it, but didn't.
GlassRAT stayed undetected for so long because it had been targeted at a small population with custom malware. While the malware author took steps to hide it, they were not particularly advanced. If someone with some technical skills had detected it, they might have just removed the suspicious file without further investigation or sharing it, instead of conducting a thorough investigation like RSA did, in order to determine what the malware could do and develop indicators of compromise to share within trust groups.
Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Read about how to defend against password-capturing Trojans
Learn if Detekt is able to identify remote administration Trojans
Find out the best tools to help you detect remote access Trojans
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Cross-platform malware enables attackers to leverage their attacks using infected Microsoft Word docs. Expert Nick Lewis explains how the attacks ...continue reading
How was the ATMitch malware able to loot cash machines, then delete itself? Expert Nick Lewis explains how the fileless malware works and how it ...continue reading
DoubleAgent malware is a proof of concept for a zero-day vulnerability that can turn antivirus tools into attack vectors. Expert Nick Lewis explains ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.