RSA recently released a report about a piece of malware dubbed “GlassRAT.” RSA mentions that, at present, GlassRAT was transparent to most antivirus, but detectable by endpoint solutions.
The RSA research team released some indicators for the malware. In this blog, we’ll show how to convert them into queries for Carbon Black.
We’ll start with searching for some of the IOCs released by RSA. Since there are many, we’ll do an IOC bulk search. To do that, on the “Process Search” page, click “Add Criteria” and then click “IOCs.”
Then you can add in the domains and/or md5s.
I’ve include the domains and md5 searches for easy copying and pasting.
While searching, those IOCs are useful for things we already know about. We also can hunt for previously unknown versions of GlassRAT.
The report mentions the malware writes the DLL, flash.exe, to the C:\ProgramData folder. Files are not typically written to that folder, so we can search for this behavior using:
(filemod:C:\ProgramData\*.exe OR filemod:C\ProgramData\*.dll) AND -filemod:C:\ProgramData\*\*
The report also mentions that the dropper deletes itself with cmd.exe /c erase /F “%s” command. We can search for this using:
cmdline:”cmd.exe /c erase /F”
Finally the report states that GlassRAT modifies the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key to maintain persistence. A query to check for modifications to this key already exists in the suspicious indicators feed.