Minerva Studio - Fotolia

Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How did remote access Trojan GlassRAT evade detection?

A remote administration tool like GlassRAT can go undetected for long periods of time. Expert Nick Lewis uncovers how this type of malware works and affects corporations.

I've read about a newly discovered remote access Trojan called "GlassRAT" that was previously undetected for an estimated three years and was part of a campaign targeting Chinese nationals in commercial businesses. How did this remote access Trojan go undetected for so long?

Every time a malware author creates an entirely new piece of malware or remote access Trojan, he has made a new "zero detection" piece of malware. RSA Research published a report on a new remote administration tool observed by RSA Incident Response. The GlassRAT Trojan appears to have gone undetected for several years and is primarily targeting Chinese nationals associated with large multinational corporations.

The GlassRAT malware was signed using a legitimate software signing certificate and the certificate owner appears to have software used by millions of users. The dropper that is used for installing the malware deletes itself once the malware is installed, which reduces the chance for the malware to get detected. It is reported to only persist as a DLL file on the system. The malware sets itself to run during user login using the Run registry key and at system time by setting up a Windows service named "RasAuto." The common name of the DLL and the service name might have helped the malware not stick out to an end user looking at his computer for signs of malware. The command-and-control (C&C) IP addresses used IPs shared by other malware, but not for a significant amount of time, which could have also helped not bring attention to GlassRAT. The malware also didn't use encryption for the C&C communications, so an IDS could have detected it, but didn't.

GlassRAT stayed undetected for so long because it had been targeted at a small population with custom malware. While the malware author took steps to hide it, they were not particularly advanced. If someone with some technical skills had detected it, they might have just removed the suspicious file without further investigation or sharing it, instead of conducting a thorough investigation like RSA did, in order to determine what the malware could do and develop indicators of compromise to share within trust groups.

Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Next Steps

Read about how to defend against password-capturing Trojans

Learn if Detekt is able to identify remote administration Trojans

Find out the best tools to help you detect remote access Trojans

This was last published in April 2016

Dig Deeper on Malware, virus, Trojan and spyware protection and removal