Security researchers at RSA have discovered that the GlassRAT remote administration trojan (RAT) might have been in the same command and control (C&C) infrastructure shared in geopolitical malware campaigns observed earlier this decade.
The authors of RSA’s research paper explain that they linked GlassRAT to other malicious C&C infrastructures using malicious domains that pointed to common hosting.
In particular, they reveal that two domains on which an IP address and server for GlassRAT operated – alternate009[dot]com and mechanicnote[dot]com – were at one point connected to C&C host records for Mirage (also known as MirageFox) and PlugX, two malware samples that targeted the Philippines military and the Mongolian government, respectively.
Their research also points to common hosting with the malware MagicFire, which also targeted the Philippines military, by way of two IP addresses that were shared with PlugX, as well as the two domains discussed above.
Overall, the overlap window with Magicfire, PlugX, and Mirage was relatively short, which RSA explains might be due to a “possible operational security slip” by the developers of GlassRAT. Alternatively, that C&C infrastructure might have been deliberately shared.
In either case, the fact that GlassRAT was at one time connected to the malicious C&C infrastructure of three malware samples makes it quite interesting:
“…what makes GlassRat notable is not what it is, but perhaps rather where it came from, who is using it, and for what purpose,” note the researchers.
As noted by Threatpost, RSA’s security team first came into contact with GlassRAT earlier this year during an incident response call with a Chinese national working at a large “multinational corporation”.
Then in September, RSA came across two samples of the GlassRAT droppers, neither one of which 57 different anti-virus scanners successfully detected when tested via VirusTotal. It was later determined that the second dropper had been signed with a certificate associated with a Chinese software developer.
The malware comes with reverse shell capabilities and allows for data exfiltration, file transferring, process listing, and other typical RAT capabilities. It is also known to have used the trademarked icon of Adobe Flash Player and to have been named “Flash.exe” in the past.
If its compile time is any indication, GlassRAT may have been targeting Chinese nationals since 2012.
Perhaps RSA is right in stating that GlassRAT could be a contingency plan of a large organization that upon having had one of their earlier campaigns exposed decide to substitute in new kits but use the same C&C infrastructure.
On the one hand, this particular framing could paint GlassRAT’s authors as sloppy. Sooner or later, the breadcrumbs leading to the same C&C infrastructure would start to become too great to ignore.
On the other hand, however, it reveals just how adaptable and persistent some computer criminals are in seeking out new victims.
flickr photo shared by dimitridf under a Creative Commons ( BY-NC-ND ) license