Cylance vs. GlassRAT

A recent research paper [1] by RSA dissected a piece of malware named GlassRAT, which was built specifically for espionage. The unveiling of GlassRAT once again highlighted the fact that targeted attacks can operate undetected for years. In this blog we analyze different components of GlassRAT, test it against CylancePROTECT®, our artificial intelligence and machine learning based endpoint threat prevention product, and set out to see if CylancePROTECT would have identified GlassRAT, like many other threats, long before it was discovered by the rest of the antivirus industry.

Has Traditional AV Failed Us Again?

As demonstrated by the RSA paper, the current state of traditional AV detections is worrisome. Out of the four hashes found by the RSA Incident Response team, zero were initially detected by traditional AV vendors. These vendors have built their products on reactive approaches to threat detection à la ‘signatures’ (static, dynamic, heuristic, etc.). These vendors quickly caught on once the report was released but what about the "patient zero" victims? They were left unprotected and exposed for an undetermined amount of time.

Many of us at Cylance, having worked with traditional AVs before, know that existing malware detection technologies have only been as good as the research team's ability to quickly react to a new threat. In order to protect against these types of threats, the only logical approach is one built on machine learning and artificial intelligence.

But Wait There's More!

We wanted to see how well our artificial intelligence models work against this malware family. In a quick search [2] we found ten samples related to GlassRAT (See Appendix). This includes six additional samples that were not found in the RSA report. Unfortunately some of the samples still had abysmal detection rates with traditional AV products at the time this blog was written. Below is a quick analysis of the threat as well additional IOCs.

GlassRAT's Configuration

Malware commonly attempts to hide configuration details from threat researchers. In some cases, malware authors go to great lengths to confuse and frustrate researchers in order to prevent them from analyzing the malware's configuration data. This is not the case with GlassRAT as the configuration is stored shortly after a string present in all samples and is simply obscured by applying an XOR of 0x01 against all bytes of the configuration.

For example, a command and control IP address is obscured as follows:

Before deobfuscation: 003/064/50/60 – After deobfuscation: 112.175.41.71

We have simplified this process by implementing it as a module in bamfdetect, an open source project. Sample output of bamfdetect extracting GlassRAT data is available here.

Command & Control Servers and Timelines

Below are the Command and Control server locations along with a timeline for each sample:

File
Type

Hash

C & C Server

Timestamp

dll

89317809806ef90bb619a4163562f7db3ca70768db706a4ea483fdb370a79ede

bits.foryousee.net, 103.20.195.242

2012:09:13 21:47:55-07:00

dll

a9b30b928ebf9cda5136ee37053fa045f3a53d0706dcb2343c91013193de761e

bits.foryousee.net, 103.20.195.242

2012:09:13 21:47:55-07:00

dll

79993f1912958078c4d98503e00dc526eb1d0ca4d020d17b010efa6c515ca92e

112.175.41.71

2012:09:13 23:08:39-07:00

exe

c11faf7290299bb13925e46d040ed59ab3ca8938eab1f171aa452603602155cb

qx.rausers.com, mx.rausers.com, xx.rausers.com

2015:09:03 02:56:03-07:00

dll

d95fa58a81ab2d90a8cbe05165c00f9c8ad5b4f49e98df2ad391f5586893490d

qx.rausers.com, mx.rausers.com, xx.rausers.com

2015:09:03 02:56:03-07:00

dll

f1209eb95ce1319af61f371c7f27bf6846eb90f8fd19e8d84110ebaf4744b6ea

qx.rausers.com, mx.rausers.com, xx.rausers.com

2015:09:03 02:56:03-07:00

dll

3bdeb3805e9230361fb93c6ffb0bfec8d3aee9455d95b2428c7f6292d387d3a4

qx.rausers.com, mx.rausers.com, xx.rausers.com

2015:09:07 18:25:20-07:00

dll

74d29a53aa52f5259b4a167f38c9c56ceb740487b094877389c15664448e490e

qx.rausers.com, mx.rausers.com, xx.rausers.com

2015:09:07 18:25:20-07:00

exe

30d26aebcee21e4811ff3a44a7198a5c519843a24f334880384a7158e07ae399

qx.rausers.com, mx.rausers.com, xx.rausers.com

2015:09:07 18:25:21-07:00

The "AI of AV" at Work

We checked these files against our AI models, including our most recent one which was released in September 2015. Cylance identified each sample, minus one, with our artificial intelligence and machine learning approach to threat prevention.

The sample in question was 30d26aebcee21e4811ff3a44a7198a5c519843a24f334880384a7158e07ae399. On further inspection, the file itself was not malicious but attempted to drop a malicious DLL, which was immediately blocked and quarantined, preventing the entire chain of execution. 

denied.jpg

Based on the timestamp of these samples, the oldest one has a compile time of September 2012. Let's test our ability to detect these files in the case that a customer was unable to update to the latest model. The previous model was released in March 2015. This gives a 10 month window on when the models were first trained and when these samples were first released publicly. At Cylance it is not a surprise to frequently find that even older models detect new threats. The model released in March 2015 detected all the samples and therefore would block a GlassRAT infection.

What if we go back a year from there and check what Cylance models could predict about these samples? That means checking against the model that was released in April of 2014. Again, as predicted, the results are still the same as with the recent two models that were released this year. 

Type

Hash

Sept. 2015

March 2015

April 2014

dll

3bdeb3805e9230361fb93c6ffb0bfec8d3aee9455d95b2428c7f6292d387d3a4

Yes

Yes Yes

dll

79993f1912958078c4d98503e00dc526eb1d0ca4d020d17b010efa6c515ca92e

Yes

Yes Yes

dll

89317809806ef90bb619a4163562f7db3ca70768db706a4ea483fdb370a79ede

Yes

Yes Yes

dll

a9b30b928ebf9cda5136ee37053fa045f3a53d0706dcb2343c91013193de761e

Yes

yes Yes

exe

c11faf7290299bb13925e46d040ed59ab3ca8938eab1f171aa452603602155cb

Yes*

Yes* Yes*

exe

30d26aebcee21e4811ff3a44a7198a5c519843a24f334880384a7158e07ae399

Yes

Yes Yes

dll

d95fa58a81ab2d90a8cbe05165c00f9c8ad5b4f49e98df2ad391f5586893490d

Yes

Yes Yes

dll

f1209eb95ce1319af61f371c7f27bf6846eb90f8fd19e8d84110ebaf4744b6ea

Yes

Yes Yes

dll

74d29a53aa52f5259b4a167f38c9c56ceb740487b094877389c15664448e490e

Yes

Yes Yes

*Sample's malicious payload was blocked on execution

Conclusion

It is no surprise to us that our customers were protected against this RAT more than a year and a half in advance of this malware being discovered. Furthermore, many of the samples were detected by models created even before the files were compiled! This experiment and validation tells us a good deal about the power of Cylance’s approach to threat prevention. Finding APTs using CylancePROTECT is fast becoming the industry norm. We cannot, as an industry and humans, efficiently share our experiences regarding malware; some tasks are best left for machines!

Appendix: Hashes, Domains and IP Addresses

List of MD5 Hashes:
5b7bb106080da2940f0e6795e467cfc8
5c17395731ec666ad0056d3c88e99c4d
22e01495b4419b564d5254d2122068d9
37adc72339a0c2c755e7fef346906330
42b57c0c4977a890ecb0ea9449516075
59b404076e1af7d0faae4a62fa41b69f
87a965cf75b2da112aea737220f2b5c2
b7f2020208ebd137616dadb60700b847
e98027f502f5acbcb5eda17e67a21cdc

List of SHA256 Hashes:
3bdeb3805e9230361fb93c6ffb0bfec8d3aee9455d95b2428c7f6292d387d3a4
30d26aebcee21e4811ff3a44a7198a5c519843a24f334880384a7158e07ae399
74d29a53aa52f5259b4a167f38c9c56ceb740487b094877389c15664448e490e
79993f1912958078c4d98503e00dc526eb1d0ca4d020d17b010efa6c515ca92e
89317809806ef90bb619a4163562f7db3ca70768db706a4ea483fdb370a79ede
a9b30b928ebf9cda5136ee37053fa045f3a53d0706dcb2343c91013193de761e
c11faf7290299bb13925e46d040ed59ab3ca8938eab1f171aa452603602155cb
d95fa58a81ab2d90a8cbe05165c00f9c8ad5b4f49e98df2ad391f5586893490d
f1209eb95ce1319af61f371c7f27bf6846eb90f8fd19e8d84110ebaf4744b6ea
 
GlassRAT Domains:
bits.foryousee.net
mx.rausers.com
qx.rausers.com
xx.rausers.com
 
IP Addresses:
103.20.195.242
112.175.41.71