A new variant of the malware GovRAT is targeting government and corporate computers. This hacking platform creates malware that is hard to detect and aggressive in its methods to try and steal sensitive files.
GovRAT is Not New
Virus Guides observes that, “the name of the malware also plays an important role in the whole scheme. The GovRAT author named it this way on purpose, in an attempt to attract a particular niche of buyers, who are mostly targeting government agencies.”
GovRAT has been in the wild since 2014 and has been used extensively. It uses spearfishing and drive-by downloads as its delivery system with its target primarily being military and US government employees. It has attacked more than 15 governments, over 100 corporations, and 7 financial institutions.
Using a remote administration tool like GovRAT, hackers are able to steal files, upload malware, and execute remote commands.
The latest version, GovRAT 2.0, has many new features. Some of these features can be attributed to the creator of the malware selling the source code for modifications.
The pricing for the product ranges from $1,000 for the command and control binaries plus code to $6,000 for every component, including extra modules. The source code allows the buyers to make improvements.
The new version of GovRAT has these advanced features:
- It can monitor network traffic using the victim’s computer
- If an infected machine downloads a piece of legitimate software, hackers can intercept that download and replace the file with malware
- It can create digital signatures using code signing tools such as Authenticode, Microsoft SignTool, and WinTrust
- It now has the ability to spread itself over network shares and USB devices
- It has access to command-and-control from any browser
- It uses remote shell and command execution (remote administration tool)
- It can create a list of files that can be browsed when the target machine is offline
- It has the ability to copy files to the target and execute them
- The new version also uses special Windows APIs instead of a SOCKS library so it cannot be blocked
- It uses a keylogger that sends the keystrokes to another server
Does It Work?
A member of the underground community within the Tor network is selling credentials to FTP servers in the US government, including USPS.gov, NOAA.gov, CDG.gov, Navy.mil, and jpl.nasa.gov.
According to SecurityWeek, “these credentials have also been used in GovRAT 2.0 attacks, along with information provided by another hacker known as ‘Peace,’ ‘Peace_of_mind’ and ‘PoM.’ This hacker has provided Bestbuy 33,000 credentials stolen from US government, research and educational organizations. These credentials are useful not only for accessing the systems of the affected agencies, but also for the social engineering and spear-phishing stage of GovRAT attacks.”
GovRAT 2.0 is a growing threat partially because its source code is being sold, so that hackers can enhance its capabilities. With a remote administration tool like GovRAT 2.0 becoming more prevalent, it is more important than ever to have up-to-date endpoint security.