Specialists of RSA Research found the Trojan GlassRAT program for remote administration (Remote Administration Tool — RAT) with "zero level of detection" signed with the certificate stolen or received from popular Chinese software developer. This malicious application could avoid detection throughout several years. The telemetry and limited reports which are not maintaining any criticism demonstrate that the purpose of GlassRAT were the Chinese citizens connected with multinational corporations. Being completely "transparent" for the majority of anti-virus products, the Trojan of GlassRAT it is possible to find by means of detailed examination, and also by means of final tools for detection of threats, such as RSA Security Analytics and/or RSA ECAT. Evidence that the method of the organization of command infrastructure of the GlassRAT network has much in common with other harmful campaigns which were directed to the Asian organizations of a geopolitical and strategic importance earlier is also produced. It is possible to study this information in more detail here: http://blogs.rsa.com/peering-into-glassrat/.
What actually is GlassRAT?
GlassRAT is the trojan providing remote access (RAT). Apparently, it remained unnoticed nearly 3 years. GlassRAT uses a set of masks, and can brag in own way of very effective, harmful design. Its dropper is signed with the help of the compromised certificate from the entrusted and famous publisher (The certificate authority which issued this certificate, after the independent examination confirming malignance of the code signed with it recalled him afterwards). Dropper deletes himself after successful implementation of the tasks. Being set, the harmful DLL file, figuratively speaking "flies lower than the level of detection of a radar" an antivirus, providing to the malefactor access to a shell code of the infected victim.
GlassRat for the first time drew attention to RSA Research in February, 2015 when the RSA Incident Respons command specializing in preventive prevention of threats of invasion into big corporate networks found a harmful traffic at investigation of incident in the multinational corporation which is based in the USA. The sample of DLL was found by means of RSA ECAT on the PC of the Chinese citizen living in the mainland of China.
Usually organizers of attack just replace such low-level means as RAT, right after detection, without changing tactics, procedures, infrastructure or even the purposes of attack. However in this case the facts testify to the return. The purposes of attack differed as by quantity (they became much more), and according to characteristics (geopolitical, instead of traditional commercial).
RSA Research looked for possible similarities to another, described earlier malicious applications and methods of their work. Some similarity of a code to other malwares, such as Taidoor (http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf) was found
and Taleret (https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html), but the most interesting coincidence was found in management system the infrastructure used at attacks to the organizations of geopolitical value (about it is lower below), which were recorded a few years ago.
The analysis of GlassRAT by means of RSA Security Analytics and RSA ECAT
Scheme of infection GlassRAT
Beginning investigation of attack after implementation of a dropper and infection, ECAT automatically increases the level of danger to the machine and the corresponding module from scratch to one of the maximum values in queue on the analysis.
Let's analyze other information provided to ECAT. The statistics about the current contents of memory, about the data which are stored on a disk, about anomalies and a network traffic is available to us. All this allows the analyst during incident investigation instantly to switch attention to any of entities causing suspicion.
There were two samples of the harmful GlassRAT installer known as "dropper". According to the results of the analysis provided on the website VirusTotal, at normal check both of these dropper were not capable to find 57 different antiviruses.
Both samples of a dropper of GlassRAT were almost identical on the functions and a code. The first of samples was loaded on VirusTotal for about four hours before the second.
Droppera GlassRAT used a branded icon of Adobe Flash Player and "flash.exe" when were for the first time loaded on VirusTotal — on September 17, 2015 were called.
Doubleclick on the Trojan causes start of a dropper. As soon as ECAT found out that it is potentially harmful file, it was automatically loaded into ECAT ConsoleServer for further investigation. Through ECAT Modules view, we see the following:
ECAT is found by a dropper and increases the level of danger of InstantIOC (Indicator of Compromise Score), considering the signature of a code the withdrawn certificate.
Besides, ECAT uses the module of tracking of session for identification and installation of communications with other potentially suspicious files or machines in your environment which set connections and performed other suspicious actions:
flash.exestarts in relation to
updatef.dllevent of "Write to Exectuable"
During installation of a trojan, the dropper samounichtozhatsya by means of the built-in command:
“cmd.exe /c erase /F "%s",”
After detection of the new harmful file
updatef.dll, we began to analyze it. Apparently from the file list, sorted by ECAT Risk Score, the dropper has two different processes used at installation in the user and exclusive modes:
These two different DLL files were noted as suspicious at once and loaded on the server after detection by the ECAT agent, and received a risk assessment on 1024 points everyone.
Mechanism of unprivileged persistence GlassRAT
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Image path: c:\programdata\updatef.dll
Note: the file DLL the business is written to a root
C:\ProgramData, but in connection with transition to Windows Vista and later versions of Windows, in the section of the register Autoruns the way will be displayed
So unprivileged persistence of GlassRAT when viewing through Autoruns tool looks:
At manual start of UAC, by clicking the right mouse button displays the metadata connected with a dropper:
Note: The name of the program specified in a dialog box of Control of Accounts (UAC) matches the name of this application "500 million-user" developed by the certificate holder.
Mechanism of exclusive persistence GlassRAT
Persistence of the Trojan of GlassRAT is provided thanks to installation in quality of service "RasAuto" (Remote Access Manager) which in Windows is turned usually off by default.
HKLM\System\CurrentControlSet\Services RasAuto image path: c:\programdata\application data\updatef.dll
The mechanism of persistence GlassRAT at installation with administrator privileges:
It is possible to define by ECAT module investigation instantly
updatef.dllas an automatic loader to appropriate an appropriate level of risk and to find the file and entry in the register:
Having identified in
updatef.dllthe harmful file, we decided to study its characteristics better: what it is that does what its distinctive features, etc. For this purpose used the InstantIOC (IIOCs) module.
YARA — the tool for the help to researchers in identification and classification of harmful samples. The message of YARA IIOC on infection was initiated by the separate YARA rule created for GlassRAT about what it is specified under properties of the module.
After a dropper and the related infected DLL files were identified and executed, we made an assumption that the Trojan is loaded with the help
svchost.exeas the RasAuto service, and at installation in a user mode
Through monitoring of a network traffic of ECAT we revealed suspicious connections with qx.rausers.com through ports 53, 80 and 443. In this case ECAT could define that it was the module
rundll32.exe, which performed the notification (and not just installation of communication with
Besides, ECAT IIOC marked
rundll32.exe, reporting about potential giving of a signal, suspicious access to a network and the actual DNS traffic from this process.
The network analysis of the command center GlassRAT by means of ECAT Security Analytics
Structures of management of GlassRAT were a little similar to the command centers found in 2012 in other harmful campaigns which purpose were governments and the military organizations in the Pacific region. Besides, static the analysis of several GlassRAT DLL files revealed a complexity of a configuration of a host of the command center in all found samples.
003/064/50/60 : 112.175.x.x
chur/gnsxntrdd/odu : bits.foryousee.net
012/31/084/353 : 103.20.x.x
py/s`trdsr/bnl : qx.rausers.com
ly/s`trdsr/bnl : mx.rausers.com
yy/s`trdsr/bnl : xx.rausers.com
Handshake between attacking and the victim was found by means of Security Analytics and the new separate Glass RAT Trojan parser parser available "from a box" by means of RSA Live. At detection of a network traffic to parameter
glass_rat_c2_handshale_beaconnew meta-value "was appropriated to Risk: Suspicious".
Also handshake is demonstrated by the connections to a socket of direct access marked as"
unknown service over http port"and"
unknown service over ssl port"with meta-value "Risk: Informational" with meta-value.
During execution of handshake between the infected node and the command server it was sent and RSA Security Analytics strictly programmed value is revealed
0x cb ff 5d c9 ad 3f 5b a1 54 13 fe fb 05 c6 22. Determination of a traffic and IP addresses of the destination (dst.ip):
At interaction with a command cover of Windows (but not in signaling), you can also use the following rule of the application:
service = 0 &&tcp.dstport = 80 &&risk.warning = ‘windows command shell’
It is possible to mark harmful activity thanks to messages in the console (risk.warning: ‘windows command shell’ with use of the unknown protocol (service=0) and popular port (tcp.dstport = 80)). But here false positive operations are possible.
This article is a translation of the original post at habrahabr.ru/post/274245/
If you have any questions regarding the material covered in the article above, please, contact the original author of the post.
If you have any complaints about this article or you want this article to be deleted, please, drop an email here: firstname.lastname@example.org.
We believe that the knowledge, which is available at the most popular Russian IT blog habrahabr.ru, should be accessed by everyone, even though it is poorly translated.
Shared knowledge makes the world better.