Carbon Black & VMware Announce Expanded Partnership to Secure the Software-Defined Data Center (SDDC) Learn more

How to Detect GlassRAT via Carbon Black Queries

Bulk IOC search domain:cainformations.com
Hex_Honeycomb
December 15, 2015 / David Dorsey

RSA recently released a report about a piece of malware dubbed “GlassRAT.” RSA mentions that, at present, GlassRAT was transparent to most antivirus, but detectable by endpoint solutions.

The RSA research team released some indicators for the malware. In this blog, we’ll show how to convert them into queries for Carbon Black.

We’ll start with searching for some of the IOCs released by RSA. Since there are many, we’ll do an IOC bulk search. To do that, on the “Process Search” page, click “Add Criteria” and then click “IOCs.”

Then you can add in the domains and/or md5s.

I’ve include the domains and md5 searches for easy copying and pasting.

  • domain:cainformations.com
  • domain:echotec.asia
  • domain:foryousee.net
  • domain:rausers.com
  • domain:news-google.net
  • domain:mechanicnote.com
  • domain:alternate009.com
  • process_md5:37adc72339a0c2c755e7fef346906330
  • process_md5:59b404076e1af7d0faae4a62fa41b69f
  • process_md5:5c17395731ec666ad0056d3c88e99c4d
  • process_md5:e98027f502f5acbcb5eda17e67a21cdc
  • process_md5:87a965cf75b2da112aea737220f2b5c2
  • process_md5:22e01495b4419b564d5254d2122068d9
  • process_md5:42b57c0c4977a890ecb0ea9449516075
  • process_md5:b7f2020208ebd137616dadb60700b847

While searching, those IOCs are useful for things we already know about. We also can hunt for previously unknown versions of GlassRAT.

The report mentions the malware writes the DLL, flash.exe, to the C:\ProgramData folder. Files are not typically written to that folder, so we can search for this behavior using:

(filemod:C:\ProgramData\*.exe OR filemod:C\ProgramData\*.dll) AND -filemod:C:\ProgramData\*\*

The report also mentions that the dropper deletes itself with cmd.exe /c erase /F “%s” command. We can search for this using:

cmdline:”cmd.exe /c erase /F”

Finally the report states that GlassRAT modifies the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry key to maintain persistence. A query to check for modifications to this key already exists in the suspicious indicators feed.

TAGS: bit9 / Carbon Black / EDR / endpoint solutions / GlassRAT / malware / rsa / threat research

Related Posts