Minerva Studio - Fotolia
I've read about a newly discovered remote access Trojan called "GlassRAT" that was previously undetected for an estimated three years and was part of a campaign targeting Chinese nationals in commercial businesses. How did this remote access Trojan go undetected for so long?
Every time a malware author creates an entirely new piece of malware or remote access Trojan, he has made a new "zero detection" piece of malware. RSA Research published a report on a new remote administration tool observed by RSA Incident Response. The GlassRAT Trojan appears to have gone undetected for several years and is primarily targeting Chinese nationals associated with large multinational corporations.
The GlassRAT malware was signed using a legitimate software signing certificate and the certificate owner appears to have software used by millions of users. The dropper that is used for installing the malware deletes itself once the malware is installed, which reduces the chance for the malware to get detected. It is reported to only persist as a DLL file on the system. The malware sets itself to run during user login using the Run registry key and at system time by setting up a Windows service named "RasAuto." The common name of the DLL and the service name might have helped the malware not stick out to an end user looking at his computer for signs of malware. The command-and-control (C&C) IP addresses used IPs shared by other malware, but not for a significant amount of time, which could have also helped not bring attention to GlassRAT. The malware also didn't use encryption for the C&C communications, so an IDS could have detected it, but didn't.
GlassRAT stayed undetected for so long because it had been targeted at a small population with custom malware. While the malware author took steps to hide it, they were not particularly advanced. If someone with some technical skills had detected it, they might have just removed the suspicious file without further investigation or sharing it, instead of conducting a thorough investigation like RSA did, in order to determine what the malware could do and develop indicators of compromise to share within trust groups.
Ask the Expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)
Read about how to defend against password-capturing Trojans
Learn if Detekt is able to identify remote administration Trojans
Find out the best tools to help you detect remote access Trojans
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Port scans provide data on how networks operate. In the wrong hands, this info could be part of a larger malicious scheme. Learn how to detect and ... Continue Reading
Cloud penetration testing presents new challenges for information security teams. Here's how a playbook from the Cloud Security Alliance can help ... Continue Reading
Many cloud providers are tight-lipped about internal security control details. Learn how to evaluate cloud security providers with certifications and... Continue Reading