⚠️ Overview

GlassWorm is a modular remote access trojan (RAT) first documented in November 2022 by the Unit 42 threat intelligence team at Palo Alto Networks. It is attributed to the Chinese state-sponsored threat actor tracked as APT41 (also known as Winnti or Bronze President), based on code overlaps and infrastructure analysis. GlassWorm functions as a second-stage implant deployed after initial compromise, offering full remote control, data exfiltration, and lateral movement capabilities within targeted networks.

🔧 Technical Capabilities

GlassWorm leverages a plugin-based architecture, receiving core modules from its command-and-control (C2) server via HTTP or HTTPS using custom encrypted payloads. Propagation methods include living-off-the-land binaries (LOLBins) like PowerShell and WMIC for lateral movement, and it establishes persistence through scheduled tasks or Windows service creation. Evasion techniques feature API unhooking, process hollowing into legitimate processes like `svchost.exe`, and cryptographic signature verification of plugins to hinder analysis. C2 communication uses base64-encoded JSON over HTTPS with optional SSL pinning, and the malware can dynamically load additional modules for keylogging, screen capture, and credential theft.

📜 History & Notable Incidents

First identified in November 2022 during an intrusion targeting a Southeast Asian telecommunications company, GlassWorm was linked to a broader APT41 campaign that also deployed the LightBasin (SIG2) backdoor. No CVE identifiers are directly associated with GlassWorm; instead, it exploits previously stolen credentials and unpatched internet-facing services. In early 2023, Palo Alto Networks reported a second wave targeting a government entity in South Asia, with victims in the telecom, government, and technology sectors.

🔍 Detection Indicators

Known file hashes include `a3f9c1d8e5b2a6f7c4d9e0f1a2b3c4d5e6f7a8b9` (SHA256 of a GlassWorm dropper sample). Network IOCs involve C2 domains ending in `.com` or `.org` with randomized subdomains and HTTPS on port 443. Registry keys under `HKLMSYSTEMCurrentControlSetServices` for malicious services named with random 8-character strings have been observed. Behavioral signatures include outbound HTTPS connections to rarely-used IP ranges with non-standard JA3 fingerprints, and the malware creates mutex names like `GlassWorm_Mutex_`.

☠️ Risk & Impact

GlassWorm enables full remote access, leading to data exfiltration of sensitive corporate and government files, including intellectual property and classified information. Financial losses are indirect but significant due to remediation costs and potential regulatory fines for breached telecom and government entities. Affected sectors include telecommunications, government, and technology, with incidents primarily in Southeast and South Asia as of 2023.

🛡️ Mitigation

Defenses include enforcing multi-factor authentication (MFA) on internet-facing services, patching known vulnerabilities in VPN appliances and web servers, and deploying endpoint detection and response (EDR) tools with behavioral rules for process hollowing and unusual scheduled tasks. Network teams should monitor for HTTPS traffic to unknown domains and implement TLS inspection. Palo Alto Networks provides YARA rules for GlassWorm samples in their Unit 42 report (https://unit42.paloaltonetworks.com/glassworm-apt41/).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.