Discovered by RSA in February of this year, GlassRAT was first created in 2012 and “appears to have operated, stealthily, for nearly 3 years in some environments,” in part with the help of a legitimate certificate from a prominent Chinese software publisher and signed by Symantec and Verisign, RSA reports.
The software is described as a “simple but capable RAT” that packs reverse shell features that allow attackers to remotely control infected computers as well as transfer files and list active processes. The dropper program associated with the file poses as the Adobe Flash player, and was named “Flash.exe” when it was first detected.
RSA discovered it on the PC of a Chinese national working for a large, U.S. multi-national corporation. RSA had been investigating suspicious network traffic on the enterprise network. RSA says telemetry data and anecdotal reports suggest that GlassRAT may principally be targeting Chinese nationals or other Chinese speakers, in China and elsewhere, since at least early 2013.
RSA said it has discovered links between GlassRAT and earlier malware families including Mirage, Magicfire and PlugX. Those applications have been linked to targeted campaigns against the Philippine military and the Mongolian government. (https://securityledger.com/2015/10/security-firm-chinese-govt-hackers-still-active-despite-truce/)