According to InfoArmor, the notorious government computer malware GovRAT has been tactically upgraded. The Remote Access Trojan packs 11 high profile advancements, notes the feature list. However, researchers are not solely concerned with the updates to the malware. The improved accessibility is a major threat the government organizations in the US. GovRAT v2.0 is openly available for purchase starting at $1,600.
In November 2015, InfoArmor published a warning upon discovering GovRAT on the Hell Forum and TheRealDeal marketplace. After the piece was published, the developer changed his pseudonym from bestbuy to Popopret. As revealed in the GovRAT v2.0 discovery paper, InfoArmor still connected the dots.
Popopret is now working with PoM or Peace_of_Mind, another famed hacker. POM is behind the latest Yahoo, LinkedIn, Tumblr, and VK data breaches. This time, POM is selling dumps of credentials from government employee email addresses. According to InfoArmor, the list is needed to target government officials. POM’s files aid in distributing the malware as an email attachment. Alternatively, the files can be used to lure victims to a website that infects the target’s machine with GovRAT.
Once GovRAT is deployed, the malware will dump passwords and data from the infected computer. The extracted data lets GovRAT spread to servers on the local network, infecting more users. Infected hosts can be remotely accessed, granting an even greater level of control to the hacker. One of the new features allows GovRAT to deploy itself to USB drives plugged into the victim’s machine. GovRAT then infects the next machine to mount the USB drive.
The features from the GovRAT 2.0 listing on TheRealDeal market:
– Access C&C with any browser.
– Compile C&C for Linux OR Windows.
– Cannot be reversed without the private key. 0day anti-debugging.
– Automatically maps all hard disks and network disks.
– Creates a map of files to browse even when the target is offline.
– Remote shell / command execution.
– Upload files or Upload and Execute files to target.
– Download files from target. All files are compressed with LZMA for faster downloads and encrypted on transport.
– Customized encryption for communications. No 2 machines will use the same key (ever).
– SSL Support for communication. (you have to get your own *Valid* SSL certificate to use this).
– Does not use socks libraries. Uses special windows APIs to communicate and cannot be blocked.
– C&C Creates a One-Time-Password every time you login for extra security.
– Comes with source for FUD keylogger that sends keys to another server.
– Excellent for long term campaigns where a stable connection is needed.
– %100 FUD Again after bluecoat discovered the RAT.
– Network spreading module (using ARP/MITM to hijack all exe downloads) – turn on and off with 1 click.
– Endpoint bypass
– 360 bypass
More updates (28th of April 2016):
– Browser password dumper (all common browsers)
– Mail password dumper (all common mail clients)
– Cleartext network password sniffer (many modules including http, ftp, imap, pop3, etc…)
– Network shares password dumper (saved passwords)
– USB Spread with 2 options (1. fake shortcut method, 2. DLL Hijacking of common applications based on private list and research)
– TOR onion domain support added !
InfoArmor points out that GovRAT can now be used for stealthy, long-term sniffing of SSH credentials on a target network.
Popopret’s listings on TheRealDeal do not end with GovRAT v2.0. The hacker has credentials to network resources from USPS.gov that were collected from a botnet server. Another example is a listing for six FTP accounts for subdomains on NAVY.mil.
InfoArmor closes their report with a summary of GovRAT’s capabilities and a warning to any readers:
In most cases, the bad actors perform two stages of drive-by download attacks. The first stage targets the initial victim and the second stage targets the server-side compromise (regarding other employees). This multi-stage approach allows the bad actors to target a broad number of victims, progressing from a single infection, leading to deeper intrusions into specific organizations and data exfiltration which can include a variety of record attributes or data elements.