GlassRAT: analysis of a trojan from China using RSA Security Analytics and RSA ECAT
- Transfer

RSA Research experts discovered the GlassRAT Trojan for Remote Administration Tool (RAT) with a “zero detection level”, signed with a certificate stolen or received from a popular Chinese software developer. This malware could have avoided detection for several years. Telemetry and limited reports that do not stand up to criticism indicate that the goal of GlassRAT was Chinese citizens associated with transnational corporations. Being completely “transparent” to most anti-virus products, the GlassRAT Trojan can be detected using detailed examination, as well as using end-to-end threat detection tools such as RSA Security Analytics and / or RSA ECAT. Evidence is also provided that the way to organize the command infrastructure of the GlassRAT network has much in common with other malicious campaigns that were previously aimed at Asian organizations of geopolitical and strategic importance. More information about this information can be found here:http://blogs.rsa.com/peering-into-glassrat/ .
What is GlassRAT really?
GlassRAT is a remote access (RAT) trojan. Apparently, he went unnoticed for almost 3 years. GlassRAT uses a lot of guises, and in its own way boasts a very effective, malicious design. His dropper was signed using a compromised certificate from a trusted and well-known publisher (the Certification Authority that issued this certificate, after an independent examination confirming the maliciousness of the code he signed, subsequently revoked it). Dropper removes himself after the successful implementation of his tasks. Once installed, the malicious DLL file, figuratively speaking, “flies below the radar detection level” of the antivirus, providing an attacker with access to the shell code of the infected victim.
GlassRat first got the attention of RSA Research in February 2015, when the RSA Incident Respons team, which specializes in proactively preventing the threat of intruders in large corporate networks, detected malicious traffic while investigating an incident at a multinational corporation based in the United States. A sample DLL was detected using RSA ECAT on a PC of a Chinese citizen residing in mainland China.
Typically, attack organizers simply replace low-level tools like RAT, immediately after detection, without changing tactics, procedures, infrastructure, or even the objectives of the attack. However, in this case, the facts indicate the opposite. The objectives of the attack differed both in number (there were much more) and in characteristics (geopolitical, instead of traditional commercial ones).
RSA Research looked for possible similarities with other previously described malicious programs and how they work. Some code similarities were found with other malware, such as Taidoor ( http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf )
and Taleret ( https: // www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html ), but the most interesting coincidence was found in the infrastructure management system used in attacks on organizations of geopolitical significance (more on this below) that were recorded several years ago.
GlassRAT analysis with RSA Security Analytics and RSA ECAT
GlassRAT infection scheme

Starting an investigation of an attack after the introduction of a dropper and infection, ECAT automatically increases the level of danger for the machine and the corresponding module from zero to one of the maximum values in the analysis queue.

Let's analyze the rest of the information provided by ECAT. We have access to statistics about the current contents of memory, about data stored on the disk, about anomalies and network traffic. All this allows the analyst to immediately turn his attention to any of the entities that arouses suspicion during the investigation of the incident.

GlassRAT dropper
There were two examples of the GlassRAT malware installer, known as droppers. According to the analysis results presented on the VirusTotal website, 57 different antiviruses were not able to detect both of these droppers during a routine scan.

Both samples of GlassRAT dropper were almost identical in their functions and code . The first of the samples was uploaded to VirusTotal about four hours earlier than the second.
GlassRAT droppers used the proprietary Adobe Flash Player icon and were called “flash.exe” when they were first uploaded to VirusTotal on September 17, 2015.

Double-clicking on the Trojan causes the dropper to launch. Once ECAT detected that it was a potentially malicious file, it was automatically uploaded to ECAT ConsoleServer for further investigation. Through the ECAT Modules view, we see the following:
ECAT detects a dropper and raises the danger level of InstantIOC (Indicator of Compromise Score), given the signature of the code by the revoked certificate.

In addition, ECAT uses a session tracking module to identify and establish connections with other potentially suspicious files or machines in your environment that have established connections and performed other suspicious activities:
SVCHOST.exestarts upflash.exeflash.exefires in relation to theupdatef.dllevent “Write to Exectuable”

During the installation of the trojan, the dropper self-destructs using the built-in command:
“cmd.exe /c erase /F "%s",”After detecting a new malicious file
updatef.dll, we began to analyze it. As you can see from the list of files sorted by ECAT Risk Score, the dropper has two different processes used during installation in user and privileged modes: 
These two different DLL files were immediately marked as suspicious and uploaded to the server after being detected by the ECAT agent, and received a risk score of 1024 points each.
GlassRAT unprivileged persistence engine
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Image path: c:\programdata\updatef.dllNote: the DLL file is actually written to the root
C:\ProgramData, but due to the transition to Windows Vista and later versions of Windows, the path will be displayed in the Autoruns registry key C:\ProgramData\Application Data\. This is how GlassRAT's unprivileged persistence looks when viewed through the Autoruns tool:

When manually starting UAC, right-clicking displays the metadata associated with the dropper:

Note: The program name specified in the Account Control (UAC) dialog box coincides with the name of this application “ 500 million-user ”developed by the certificate holder.
GlassRAT privileged persistence engine
The persistence of the GlassRAT Trojan is ensured by installing “RasAuto” (Remote Access Manager) as the service, which is usually disabled by default in Windows. GlassRAT persistence mechanism during installation with administrator privileges: Using the ECAT module investigation, you can instantly identify it as an autoloader, assign an appropriate risk level, and detect a file and registry entry: Having identified a malicious file, we decided to better examine its characteristics: what it is what it does, what are its distinguishing features, etc. For this, they used the InstantIOC module (IIOCs).
HKLM\System\CurrentControlSet\Services
RasAuto image path: c:\programdata\application data\updatef.dll
updatef.dll
updatef.dll
YARA is a tool to help researchers identify and classify malicious samples. The YARA IIOC infection message was triggered by a separate YARA rule created for GlassRAT, as indicated under the module properties.

After the dropper and the infected DLL files associated with it were identified and executed, we proceeded from the assumption that the Trojan loads using
svchost.exeRasAuto as a service, and rundll32.exelaunches when installed in unprivileged mode updatef.dll. Through monitoring ECAT network traffic, we detected suspicious connections to qx.rausers.com via ports 53, 80, and 443. In this case, ECAT was able to determine that it was a module
rundll32.exethat provided alerts (rather than just establishing a connection with svchost.exe).
In addition, ECAT IIOC tagged
rundll32.exe, reporting potential signaling, suspicious network access, and actual DNS traffic from this process.
GlassRAT Command Center Network Analysis with ECAT Security Analytics
GlassRAT’s governance structures were somewhat similar to the command centers discovered in 2012 in other malicious campaigns targeting governments and military organizations in the Pacific. In addition, a static analysis of several GlassRAT DLLs revealed confusing command center host configurations in all detected samples.
003/064/50/60 : 112.175.x.xchur/gnsxntrdd/odu : bits.foryousee.net012/31/084/353 : 103.20.x.xpy/s`trdsr/bnl : qx.rausers.comly/s`trdsr/bnl : mx.rausers.comyy/s`trdsr/bnl : xx.rausers.comThe handshake between the attacker and the victim was detected using Security Analytics and the new separate Glass RAT Trojan parser parser, accessible “out of the box” through RSA Live. When network traffic
glass_rat_c2_handshale_beaconwas detected, the parameter was assigned a new meta-value “Risk: Suspicious”. The handshake is also indicated by connections to the direct access socket, marked as "
unknown service over http port" and "unknown service over ssl port"with a meta-value" Risk: Informational "with a meta-value. 

During the handshake, a hard-coded value was sent and detected by the RSA Security Analytics between the infected node and the command server
0x cb ff 5d c9 ad 3f 5b a1 54 13 fe fb 05 c6 22. Determination of traffic and destination IP addresses (dst.ip): 
When interacting with the Windows shell (but not in terms of signaling), you can also use the following application rule:
service = 0 && tcp.dstport = 80 && risk.warning = ‘windows command shell’You can detect malicious activity thanks to console messages (risk.warning: 'windows command shell' using an unknown protocol (service = 0) and popular of the port (tcp.dstport = 80)). However, there may be false-positive alarms.