GovRAT 2.0 in the wild and hitting U.S. government agencies

GovRAT, a malware specializing in attacking government and corporate networks, has been upgraded to version 2.0 by its creator, is hitting even more targets and was given a new starting price point of $1,000.

InfoArmor, which initially uncovered GovRAT 1.0 late last year, has issued a report on the 2.0 version of the malware that has been operating for the past several months and is more dangerous than the original version. In addition, InfoArmor has discovered who is behind the malware's development and distribution.

“The key specifics of GovRAT v.2 is network interception and spoofing module, allowing [it] to drop malware, replacing legitimate files, you are downloading from the Internet (on-the-fly, using network spoofing techniques and binaries patching). All of the identified samples have been signed by unique digital certificate, which makes detection pretty complicated. The actors prefer to use customized builds of GovRAT v.2 in order not to have similar style of the samples and to avoid AV detection by similar patterns,”  Andrew Komarov, chief intelligence officer, InfoArmor said to in an email interview.

However, perhaps an even more important issue with GovRAT is the original creator, who now goes by the nickname “propopret,” is now working with well-known hacker Peace_of_Mind (PoM). PoM is associated with data breaches at LinkedIn, Yahoo and Tumbler, according to Softpedia and bring something uniquely important to the table for GovRAT.

“There is another bad actor identified as “PoM,” who is a partner of popopret, and is selling 33,000 records with credentials related to the US Government and various research and educational organizations,” Andrew Komarov, chief intelligence officer, InfoArmor wrote in the report and this is leading to a higher level of activity.

“Yes, comparing to GovRAT v.1 - significant growth, and one of the reason - active hacks of government and various industry resources, having high number of US GOV /military contacts. It allows them to build targeted mailing list, where they send malware for further GovRAT v.2 distribution (mostly, through JS-based, macros-based content),” Komarov said.

On the technical front the important updates are the inclusion of browser and mail password dumpers, cleartext network password sniffer, network shares password dumber and TOR domain support.

"GovRat and GovRAT 2.0 are highly sophisticated malware packages that feature the ability to steal files, remotely execute commands, upload other malware variants, and monitor network traffic. Everyone is alarmed at the sophistication of the malware and the fact that syndicates seem to be working together to progress the potency of cyberespionage,” said Brad Bussie, CISSP, STEALTHbits Technologies director of product Management, told in an emailed statement.

Komarav noted that the improved capabilities has enabled propopret to increase the products price. The entry-level price point of $1,000 gets the hacker on a budget a basic bin and command and control code with no extra modules. The step up model priced at $1,600 adds the modules. For $3,000 basic source code is included, but with no modules and the top-of-the-line version costing $6,000 contains the source code for the entire malware.

InfoArmor reported that in most cases an attack takes place in two stages. The first is a drive-by download and the second the server-side compromise.

“This multi-stage approach allows the bad actors to target a broad number of victims, progressing from a single infection, leading to deeper intrusions into specific organizations and data exfiltration which can include a variety of record attributes or data elements,” Komarov wrote.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.