I've read about a newly discovered remote access Trojan called "GlassRAT" that was previously undetected for an...
estimated three years and was part of a campaign targeting Chinese nationals in commercial businesses. How did this remote access Trojan go undetected for so long?
Every time a malware author creates an entirely new piece of malware or remote access Trojan, he has made a new "zero detection" piece of malware. RSA Research published a report on a new remote administration tool observed by RSA Incident Response. The GlassRAT Trojan appears to have gone undetected for several years and is primarily targeting Chinese nationals associated with large multinational corporations.
The GlassRAT malware was signed using a legitimate software signing certificate and the certificate owner appears to have software used by millions of users. The dropper that is used for installing the malware deletes itself once the malware is installed, which reduces the chance for the malware to get detected. It is reported to only persist as a DLL file on the system. The malware sets itself to run during user login using the Run registry key and at system time by setting up a Windows service named "RasAuto." The common name of the DLL and the service name might have helped the malware not stick out to an end user looking at his computer for signs of malware. The command-and-control (C&C) IP addresses used IPs shared by other malware, but not for a significant amount of time, which could have also helped not bring attention to GlassRAT. The malware also didn't use encryption for the C&C communications, so an IDS could have detected it, but didn't.
GlassRAT stayed undetected for so long because it had been targeted at a small population with custom malware. While the malware author took steps to hide it, they were not particularly advanced. If someone with some technical skills had detected it, they might have just removed the suspicious file without further investigation or sharing it, instead of conducting a thorough investigation like RSA did, in order to determine what the malware could do and develop indicators of compromise to share within trust groups.
Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Read about how to defend against password-capturing Trojans
Learn if Detekt is able to identify remote administration Trojans
Find out the best tools to help you detect remote access Trojans
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Zscaler recently discovered a malvertising campaign that spreads the Terror exploit kit through malicious ads. Discover more about the threat with ... Continue Reading
Cybersecurity vendor Wordfence reported a rise in scans for SSH private keys that are often accidentally exposed to the public. Learn how to stay ... Continue Reading
The SANS Internet Storm Center discovered a DDE attack spreading Locky ransomware through Microsoft Word. Learn what a DDE attack is and how to ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.