GlassRAT linked to earlier geopolitical malware campaigns

David bisson
David Bisson

Security researchers at RSA have discovered that the GlassRAT remote administration trojan (RAT) might have been in the same command and control (C&C) infrastructure shared in geopolitical malware campaigns observed earlier this decade.

Glass rat

The authors of RSA’s research paper explain that they linked GlassRAT to other malicious C&C infrastructures using malicious domains that pointed to common hosting.

In particular, they reveal that two domains on which an IP address and server for GlassRAT operated – alternate009[dot]com and mechanicnote[dot]com – were at one point connected to C&C host records for Mirage (also known as MirageFox) and PlugX, two malware samples that targeted the Philippines military and the Mongolian government, respectively.

Sign up to our free newsletter.
Security news, advice, and tips.

Their research also points to common hosting with the malware MagicFire, which also targeted the Philippines military, by way of two IP addresses that were shared with PlugX, as well as the two domains discussed above.

Overall, the overlap window with Magicfire, PlugX, and Mirage was relatively short, which RSA explains might be due to a “possible operational security slip” by the developers of GlassRAT. Alternatively, that C&C infrastructure might have been deliberately shared.

In either case, the fact that GlassRAT was at one time connected to the malicious C&C infrastructure of three malware samples makes it quite interesting:

“…what makes GlassRat notable is not what it is, but perhaps rather where it came from, who is using it, and for what purpose,” note the researchers.

As noted by Threatpost, RSA’s security team first came into contact with GlassRAT earlier this year during an incident response call with a Chinese national working at a large “multinational corporation”.

Then in September, RSA came across two samples of the GlassRAT droppers, neither one of which 57 different anti-virus scanners successfully detected when tested via VirusTotal. It was later determined that the second dropper had been signed with a certificate associated with a Chinese software developer.

The malware comes with reverse shell capabilities and allows for data exfiltration, file transferring, process listing, and other typical RAT capabilities. It is also known to have used the trademarked icon of Adobe Flash Player and to have been named “Flash.exe” in the past.

Malware disguised as Flash

If its compile time is any indication, GlassRAT may have been targeting Chinese nationals since 2012.

Compilation timestamp

Perhaps RSA is right in stating that GlassRAT could be a contingency plan of a large organization that upon having had one of their earlier campaigns exposed decide to substitute in new kits but use the same C&C infrastructure.

On the one hand, this particular framing could paint GlassRAT’s authors as sloppy. Sooner or later, the breadcrumbs leading to the same C&C infrastructure would start to become too great to ignore.

On the other hand, however, it reveals just how adaptable and persistent some computer criminals are in seeking out new victims.

flickr photo shared by dimitridf under a Creative Commons ( BY-NC-ND ) license

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.