14 DAY TRIAL // A stealthy new RAT (Remote Access Trojan) was discovered by RSA Research, and it appears that it focused its efforts mainly on Chinese citizens working in multinational companies in and outside China.
This new threat, dubbed GlassRAT, has a very low detection rate with antivirus engines and is also signed with a digital certificate issued by a large Chinese company.
RSA Research claims that the tool may have gone undetected for years, its C&C architecture resembling different other cyber-espionage campaigns carried out against countries from the Asia-Pacific region in the past three years.
GlassRAT bears similarities to other spying tools and cyber-espionage campaigns
"The telemetry of GlassRAT and limited forensic samples suggest that targeting is narrowly focused," says RSA Research. "While several code similarities were found with other malware such as Taidoor and Taleret, the most interesting overlap with GlassRAT might be in the C2 infrastructure shared with geopolitical campaigns, which were reported earlier in this decade."
Researchers are referring to the Mirage and Magic Fire campaigns from 2012 and the PlugX campaign from 2014. During those incidents, Chinese state-sponsored groups spied on Mongolian government officials and the Philippine military.
RSA Research officials are saying the overlap between GlassRAT's C&C server infrastructure and those campaigns was short, possibly due to an operational mishap.
GlassRAT is a simple yet efficient spying tool
As for its infection method, researchers are still unaware how that happens, but since we're talking about a highly targeted tool, the obvious choice would be social engineering mixed with spear phishing techniques.
Once the spyware reaches the victim's computer, it installs itself via a fake Flash installation package and then cleans any traces it may have left behind.
As far as GlassRAT's capabilities are concerned, they are simple but powerful, including a reverse shell as well as other typical RAT capabilities, such as process listing and file exfiltration.
These are more than enough for a cyber-espionage group willing to sacrifice full-on control for long-time stealthiness.