Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2015 > November
2015

GlassRAT is a new zero detection Remote Access Trojan (RAT) that has been associated with different targeted attack recently, and suspected dwell time going under the radar is about several years.

In this blog post we will discuss how to detect its dropper, malicious files, and C2 communication.

 

Below you can see GlassRAT lifecycle from infection to persistency.

 

125079

 

Once it infects a machine, the attacker using reverse shell is able to get access to infected victim’s pc.

Once the installer program (aka “dropper”) flash.exe landed and triggered on the device, it was detected by RSA ECAT and automatically been downloaded for investigation. Specifically for the dropper, there was a chain revoked alert triggered for it.

 

RSA ECAT Module view

125080

The screenshot below from RSA ECAT as well, shows how the dropper is writing the malicious code to the device creating updatef.dll

125081

 

The screenshot below shows the network activity in RSA Security Analytics investigator beaconing out from rundll32.exe triggering new GlassRAT parser created (available in report annex and in RSA Live), and identifying infected host to C2 handshake with the following hard coded sting ‘0x cb ff 5d c9 ad 3f 5b a1 54 13 fe fb 05 c6 22’:

 

125082

 

Assuming the appropriate meta keys are enabled, the following query can also be used to identify the:

  • Windows command shell communication: service = 0 && tcp.dstport = 80 && risk.warning = ‘windows command shell’
  • Protocol-abusing raw socket connection flagged as ‘unknown service over http port’ and ’unknown service over ssl port’ under ‘Risk: Informational” meta value using ‘nw60125’ application rule.

 

125083

All of the IOCs from those HTTP sessions were added to the following RSA FirstWatch Live feeds:

  • RSA FirstWatch APT Threat Domains
  • RSA FirstWatch APT Threat IPs

 

To read the full report navigate here: https://blogs.rsa.com/peering-into-glassrat/

Mirage is a remote access trojan that has been associated with different targeted attacks. The malware family got its name from one of its embedded strings. In this blog post, we will discuss how to detect its C2 beaconing activity.


Once it infects a machine, Mirage starts collecting system information like:

  • MAC address
  • CPU information
  • System name
  • Username


The collected information is then encoded using a custom algorithm and sent to the C2 server in the payload of an HTTP POST request:


124250


The screenshot below shows the network activity in RSA Security Analytics investigator:


124251


Assuming the appropriate meta keys are enabled, the following query can be used:

          action = 'put' && directory = '/' && (filename begins 'search' || filename begins 'result') && (filename contains 'gid' || filename contains 'meta') && extension = '<none>' && content = 'application/x-www-form-urlencoded'


Scan results for a Mirage variant can be viewed here.


All of the IOCs from those HTTP sessions were added to the following RSA FirstWatch Live feeds:

  • RSA FirstWatch APT Threat Domains
  • RSA FirstWatch APT Threat IPs

If threat.desc meta key is enabled then you can use the following app rule:

          threat.desc = 'apt-mirage-c2'


Filter Blog

By date: By tag: