Wilderness of Mirrors: Case Study of GlassRAT

Simple but Capable RAT..Designed for Deception

RSA discovered GlassRAT (RAT=Remote Access Trojan) the spy tool targeting commercial targets, in February 2015, on the computer of a Chinese national while analyzing an incident at a multinational company based in the U.S.

RSA had to wait several months for a hit on a Yara signature they had uploaded to VirusTotal before they could conclude that the GlassRAT infrastructure was also used in attacks against the Philippine and Mongolian governments, with different malware i.e. Mirage (MirageRAT, PlugX, and MagicFire).

GlassRAT has the usual Remote Access Trojan capabilities, including reverse shell functionality that provides attackers access to the infected device. As the attackers had access to the device they were able to: Transfer unauthorized files, steal data, and transmit information about the victim’s system. Based off the compile time, it appears GlassRAT was actually deployed in September of 2012. That means it was able to go three years without being detected by AntiVirus products.

The dropper program associated with the file poses as the Adobe Flash Player, and was named “Flash.exe” when it was first detected. The dropper that delivers the Trojan via the fake Flash installation also erases itself from the system once it has installed the malware. It’s also important to note that the dropper had been signed with a legitimate (albeit stolen) certificate that belonged to a popular software developer in China. Another way the dropper was able to stay low profile for three years was because it wasn’t uploaded to public malware databases until September of 2015.