Sophisticated Remote Admin Tool Aimed at U.S. Government Employees

Several US military and other government agencies have been targeted by a malware piece, dubbed GovRAT, specially designed to spy on such important targets.

GovRAT, which was first uncovered in November last year by the security company InfoArmor, is a Remote Access Trojan. Currently, the RAT is being sold on TheRealDeal Dark Web marketplace and the Hell forum.

The crook behind the RAT is known as bestbuy, but after InfoArmor released its first report about the threat, he started using a new nickname – Popopret.

GovRAT is a very powerful piece of malware, based on its features, and, recently, it has been updated with a second version. The name of the malware also plays an important role in the whole scheme. The GovRAT author named it this way on purpose, in an attempt to attract a particular niche of buyers, who are mostly targeting government agencies.

The RAT can be purchased online for 2.5740 Bitcoin ($1,600), according to a recent listing on TheRealDeal. However, users could also by the GovRAT`s course code for $6,000.

A recent InfoArmor`s report revealed that Popopret, or bestbuy, isn’t working alone but he has a partner in the face of another infamous hacker called Peace_of_Mind (PoM). According to InfoArmor, PoM is separately spreading files which contain the emails and credentials for several types of accounts, which US military and government agencies are using.

More than 33,000 records are included in the PoM`s list, with most of the credentials coming from the US Navy, the US General Services Administration, and some famous US universities such as USC, the University of Florida and Missouri. However, at the time of writing, this listing is no longer active.

This is important information because, as InfoArmor says, a buyer would be emboldened to purchase this list as they would need it to spam government officials. This way, they could spread the RAT as a file attachment or they could trick the victims into loading the GovRAT v2.0 website, where the RAT is served via drive-by download.

Besides PoM, Popopret is working together with fake digital certificates sellers as well, sending clients to them so they could sign and hide GovRAT v2.0 from anti-malware programs.

According to InfoArmor, once a machine is infected by GovRAT v2.0, the crooks could leverage it to dump passwords from the infected computer’s applications or to sniff on the local network. Then, all this information can be spread to other servers, infecting more users. Abusing GovRAT, the attackers could also search for crucial files and then exfiltrate stolen data to a remote server or access an infected host.

GovRAT v2.0 is also able to target USB flash drives, deploying USB worms, infecting any other computer the flash drive is connected to. This feature is used for going from target to target on air-gapped networks.

Below are the features of GovRAT v2.0, written by Popopret himself on TheRealDeal:

The organizations targeted by the GovRAT v2.0 malware primarily conduct their operations in English.” – the latest InfoArmor`s repots reads – “However, several samples with non-English signatures for data exfiltration related to names of the documents, their security classification, author and additional details have been identified.”

Both Popopret and PoM have been previously associated with other huge attack breaches. Popopret, for example, is most famous with his old nickname, bestbuy, being involved in some serious attacks against Dark Web marketplaces, like the Thomson Reuters World-Check database of suspected terrorists.

PoM isn’t in any way less popular that Popopret, previously selling data from breaches at famous companies like LinkedIn, VK, Yahoo and Tumblr.

Neither of them has been behind these huge breaches, but they build their reputation more by putting for sale the data from them than by developing and selling GovRAT.

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.