GOVRAT V2.0
GovRat-2-FINAL2
GovRat-2-FINAL2
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>GOVRAT</strong> <strong>V2.0</strong><br />
ATTACKING US MILITARY AND GOVERNMENT<br />
BY ANDREW KOMAROV<br />
CHIEF INTELLIGENCE OFFICER<br />
INFOARMOR, INC.
<strong>GOVRAT</strong> <strong>V2.0</strong><br />
ATTACKING US MILITARY AND GOVERNMENT<br />
GovRAT v2.0<br />
ATTACKING US MILITARY AND GOVERNMENT<br />
In November 2015, InfoArmor identified the GovRAT malware that possessed<br />
advanced cyberespionage functionalities and documented these findings in the<br />
GovRAT Intelligence Report. Research indicated that GovRAT and the bad actors<br />
involved were targeting government and military assets. InfoArmor alerted the<br />
identified agencies and targets in order to prevent data exfiltration and to collect<br />
actual and current IOCs.<br />
In mid-May 2016, the primary actor changed his nickname to “popopret” after being<br />
profiled by InfoArmor 1 . During this time, his activities were combined with targeted<br />
attacks on US government resources, along with active data exfiltration from hacked<br />
Web resources with a sizeable number of federal employee contacts.<br />
Based on operatively-sourced information and data breach intelligence, the threat<br />
actor is working with a highly sophisticated group of cybercriminals that are selling<br />
stolen and fake digital certificates for mobile and PC-based malware code-signing,<br />
used to bypass modern AV solutions for other possible APT campaigns.<br />
1) GovRAT v.1 - https://www.infoarmor.com/wp-content/uploads/2016/04/Advanced_Persistent_Threats_Code_Signing.pdf<br />
2
<strong>GOVRAT</strong> <strong>V2.0</strong><br />
ATTACKING US MILITARY AND GOVERNMENT<br />
GovRAT V.2 FEATURES<br />
• Access C&C with any browser.<br />
• Compile C&C for Linux OR Windows.<br />
• Cannot be reversed without the private<br />
key. 0day anti-debugging.<br />
• Automatically maps all hard disks and<br />
network disks.<br />
• Creates a map of files to browse even<br />
when the target is offline.<br />
• Remote shell/command execution.<br />
• Upload files or Upload and Execute<br />
files to target.<br />
• Download files from target. All files<br />
are compressed with LZMA for<br />
faster downloads and encrypted on<br />
transport.<br />
• Customized encryption for<br />
communications. No two machines will<br />
use the same key (ever).<br />
• SSL Support for communication. (you<br />
have to get your own *Valid* SSL<br />
certificate to use this).<br />
• Does not use SOCKS libraries. Uses<br />
special Windows APIs to communicate<br />
and cannot be blocked.<br />
• C&C creates a one-time password<br />
every time the user logs in for extra<br />
security.<br />
• Comes with source for FUD keylogger<br />
that sends keys to another server.<br />
• Excellent for long term campaigns<br />
where a stable connection is needed.<br />
UPDATES<br />
• %100 FUD Again after Blue Coat<br />
discovered the RAT.<br />
• Network spreading module<br />
(using ARP/MITM to hijack all exe<br />
downloads) - turns on and off<br />
with 1 click.<br />
• Endpoint bypass<br />
• 360 bypass<br />
ADDITIONAL UPDATES<br />
(APRIL 28, 2016)<br />
• Browser password dumper<br />
(all common browsers)<br />
• Mail password dumper<br />
(all common all clients)<br />
• Cleartext network password sniffer<br />
(many modules including http, ftp,<br />
imap, pop3, etc...)<br />
• Network shares password dumper<br />
(saved passwords)<br />
• USB spread with 2 options<br />
(1. fake shortcut method, 2. DLL<br />
Hijacking of common applications<br />
based on private list and research)<br />
• TOR onion domain support added!<br />
COST<br />
• $1,000<br />
Gets you basic bin and C&C code<br />
(no extra modules)<br />
• $1,600<br />
Gets you bin and C&C code<br />
(all modules)<br />
• $3,000<br />
fGets you basic source code<br />
(no modules)<br />
• $6,000<br />
Gets you source of everything<br />
3
<strong>GOVRAT</strong> <strong>V2.0</strong><br />
ATTACKING US MILITARY AND GOVERNMENT<br />
THE LIFECYCLE OF <strong>GOVRAT</strong> V.2<br />
Reconnaissance<br />
• Contact Gathering<br />
• WEB-apps<br />
Malware Build<br />
• Agent-based<br />
• Signed Code<br />
• LPE Exploit<br />
Stage 1 - Infection<br />
Attack Vectors<br />
• Drive-by (RIG 3.0 +<br />
Neutrino)<br />
Stage 2 - Worm<br />
Attack Vectors<br />
• Network Shares<br />
• USB Flash<br />
In the closed underground forum, “Hell Forum” on the TOR network, the bad actor is still<br />
using his old nickname “bestbuy,” has VIP status, and is selling a variety of tools for cyber<br />
espionage campaigns using the same alias, along with several new nicknames on “The<br />
Real Deal Market.”<br />
This link was used as one of the key elements in the attribution of this bad actor:<br />
Some of the bad actor’s posts in the same marketplace are still being published on behalf of bestbuy. GovRAT v2 has a fairly<br />
advanced network password sniffer and password dumper that is used for further data exfiltration and is spreading via available<br />
network resources and connected external devices, such as USB flash drives (worm feature).<br />
4
<strong>GOVRAT</strong> <strong>V2.0</strong><br />
ATTACKING US MILITARY AND GOVERNMENT<br />
WHAT IS THE “HELL FORUM”?<br />
According to our sources, on June 17, 2015, 33 year-old “Ping,”, a former owner of the “Hell<br />
Forum,” was arrested. He was mentioned in a number of media reports from the Calgary<br />
Police Department and the story was covered by the Calgary Herald. The arrest was<br />
announced just days after Fox News quoted a security researcher about the suspected<br />
OPM data on the Hell Forum. According to closed sources, Ping was also responsible for<br />
hacking into another federal system in 2013..<br />
In January 2016, the underground forum reemerged with new administrators. The forum improved the procedure for inviting new<br />
members by implementing an internal vouching system.<br />
One of the posts was quoted as follows:<br />
“Don’t worry about anything regarding LE [law enforcement], NSA and others. If you suspect anyone to be LE please let us know<br />
so that we can take proper action against them since this is not a place for them.”<br />
At present, Hell Forum is one of the tightest and most closed underground communities in the TOR network, where serious<br />
cybercriminals exchange information about data leaks, new vulnerabilities and private tools for sale.<br />
The group under investigation is based on key members of “Hell Forum.” Several of these individuals are known as professional<br />
hackers for hire, such as ROR[RG], who previously hacked Ashley Madison and AdultFriendFinder. He also stole the personal<br />
information of 72,000,000 Turkish citizens from MERNİS (Turkey’s citizenship number system), and claimed to have 17.8GB of data<br />
from a Turkish Police server, supposedly stolen from the Turkish General Directorate of Security (EGM).<br />
5
<strong>GOVRAT</strong> <strong>V2.0</strong><br />
ATTACKING US MILITARY AND GOVERNMENT<br />
FOCUS BY INDUSTRY<br />
The statistics below represent the number of identified campaigns, by industry, against<br />
various organizations using GovRAT v1.0 and GovRAT v2.0 in 2015 and 2016, respectively.<br />
The dynamics of growth show an extreme interest in hi-tech, scientific and federal sectors.<br />
The trend is also very visible regarding defense and military employees:<br />
10<br />
7.5<br />
5<br />
2.5<br />
0<br />
Information Technology Scientific Research Educational Organizations Government Agencies<br />
2015 (GovRAT v.1 2016 (GovRAT v.2<br />
6
<strong>GOVRAT</strong> <strong>V2.0</strong><br />
ATTACKING US MILITARY AND GOVERNMENT<br />
The functionality of some versions allows the extraction of SSH keys from the compromised<br />
hosts, along with access credentials. The SSHDROP backdoor is an illustrative example of<br />
the tool used by GovRAT v2.0 bad actors for stealthy, long-term sniffing of SSH credentials<br />
for information collection about other users who may have different access privileges on<br />
the same host.<br />
7
<strong>GOVRAT</strong> <strong>V2.0</strong><br />
ATTACKING US MILITARY AND GOVERNMENT<br />
On one of the underground communities in the TOR network, the same bad actor is selling<br />
compromised credentials relating to FTP servers of various US Government entities.<br />
8
<strong>GOVRAT</strong> <strong>V2.0</strong><br />
ATTACKING US MILITARY AND GOVERNMENT<br />
In addition to NOAA.gov, USPS.gov and CDG.gov, the bad actor is selling several credentials<br />
for subdomains at JPL.NASA.gov and NAVY.mil:<br />
9
<strong>GOVRAT</strong> <strong>V2.0</strong><br />
ATTACKING US MILITARY AND GOVERNMENT<br />
According to this post, the bad actor has six FTP accounts for different subdomains related<br />
to NAVY.mil:<br />
10
<strong>GOVRAT</strong> <strong>V2.0</strong><br />
ATTACKING US MILITARY AND GOVERNMENT<br />
In the identified GovRAT v2.0 distribution campaigns, the bad actor is actively using driveby<br />
download attacks 2 using Angler EK (“XXX”) and Nuclear EK. Using drive-by-download<br />
attacks, the bad actor has created their own botnet and collected a significant amount of<br />
compromised data that includes credentials to network resources.<br />
2) A drive-by download refers to the unintentional download of a virus or malicious software (malware) onto your computer or mobile device.<br />
11
<strong>GOVRAT</strong> <strong>V2.0</strong><br />
ATTACKING US MILITARY AND GOVERNMENT<br />
There is another bad actor identified as “PoM,” who is a partner of popopret, and is selling<br />
33,000 records with credentials related to the US Government and various research and<br />
educational organizations.<br />
12
<strong>GOVRAT</strong> <strong>V2.0</strong><br />
ATTACKING US MILITARY AND GOVERNMENT<br />
In the post description, he outlines that the data was hashed but he was able to decrypt it and can<br />
potentially use it for “accessing other agencies,” as well as for use in SE (social engineering) and spear<br />
phishing campaigns. PoM provides the stolen data of government and military employees to other actors<br />
using GovRAT v2.0 for highly targeted malware delivery.<br />
After a thorough analysis, it was determined that most of this data was accessed from the hacked National<br />
Institute of Building Sciences (http://www.nibs.org/) website. It contains numerous members from the<br />
research, educational, government and military community.<br />
13
<strong>GOVRAT</strong> <strong>V2.0</strong><br />
ATTACKING US MILITARY AND GOVERNMENT<br />
InfoArmor has acquired the breached data for further analysis and risk mitigation. This database has over<br />
33,000 users and their contact information from various government, military and educational organizations,<br />
along with stored passwords in hashed form.<br />
Each password has been hashed using several rounds. Brief analysis showed that the bad actors could<br />
decrypt the hash and use the recovered password information for further hacking attempts.<br />
14
<strong>GOVRAT</strong> <strong>V2.0</strong><br />
ATTACKING US MILITARY AND GOVERNMENT<br />
In one of the files obtained from the bad actors, there was a comment related to the<br />
analysis of authentication mechanisms used in various government Web-resources for<br />
remote access. The bad actor noted that not all of the accounts require an RSA SecureID or<br />
external hardware token, making the collected compromised data extremely useful. And if<br />
the victim is using the same password, it might be possible to execute a successful login.<br />
The bad actors also outlined that in some cases military Web applications require the use of a specific proxy. In these cases,<br />
they organize reverse proxies 3 on the victims in order to access sensitive resources from the same network pool and even IP<br />
addresses.<br />
3) A back-connect or reverse proxy server is a type of proxy server that typically sits behind the firewall in a private network and directs client requests<br />
to the appropriate backend server (C&C on the cybercriminal’s side).<br />
15
<strong>GOVRAT</strong> <strong>V2.0</strong><br />
ATTACKING US MILITARY AND GOVERNMENT<br />
DISTRIBUTION OF EXTRACTED CREDENTIALS BY DOMAIN NAME: .gov:<br />
gsa.gov – 44% (.44305)<br />
faa.gov – 3% (.03318)<br />
bop.gov – 2% (.02058)<br />
va.gov – 8% (.08273)<br />
gsa.gov – 44% (.44305)<br />
nasa.gov – 5% (.04955)<br />
va.gov – 8% (.08273)<br />
nps.gov – 4% (.04200)<br />
nasa.gov – 5% (.04955)<br />
state.gov – 3% (.02730)<br />
faa.gov – 3% (.03318)<br />
ee.doe.gov - 2% (.02394)<br />
Other .gov – 25% (.2500)<br />
fws.gov – 2% (.02394)<br />
epa.gov – 2% (.01764)<br />
state.gov – 3% (.02730)<br />
ee.doe.gov - 2% (.02394)<br />
bo<br />
epa<br />
Oth<br />
nps.gov – 4% (.04200)<br />
fws.gov – 2% (.02394)<br />
16
<strong>GOVRAT</strong> <strong>V2.0</strong><br />
ATTACKING US MILITARY AND GOVERNMENT<br />
DISTRIBUTION OF EXTRACTED CREDENTIALS BY DOMAIN NAME: .mil:<br />
navy.mil – 25%<br />
mail.mil – 19%<br />
navy.mil – 25%<br />
mail.mil – 19%<br />
usace.army.mil – 18%<br />
us.af.mil – 15%<br />
usace.army.mil – 18%<br />
us.army.mil – 5%<br />
usmc.mil – 4%<br />
us.army.mil – 5%<br />
Other.mil – 14%<br />
usmc.mil – 4%<br />
Other.mil – 14%<br />
us.af.mil – 15%<br />
17
<strong>GOVRAT</strong> <strong>V2.0</strong><br />
ATTACKING US MILITARY AND GOVERNMENT<br />
DISTRIBUTION OF EXTRACTED CREDENTIALS BY DOMAIN NAME: .edu:<br />
usc.edu – 17%<br />
bsu.edu - 3%<br />
cnm.edu – 2%<br />
mail.missouri.edu – 16%<br />
usc.edu – 17%<br />
ufl.edu – 4%<br />
farmingdale.edu - 3%<br />
si.edu - 3%<br />
bsu.edu - 3%<br />
Illinois.edu – 2%<br />
umich.edu -2%<br />
cn<br />
mail.missouri.edu ilstu.edu – 4% – 16%<br />
taliesin.edu – 2%<br />
farmingdale.edu - 3%<br />
Other.edu – 36%<br />
Illi<br />
vt.edu – 4%<br />
ufl.edu – 4%<br />
alumn.mit.edu – 2%<br />
si.edu - 3%<br />
um<br />
ilstu.edu – 4%<br />
taliesin.edu – 2%<br />
18<br />
Ot
<strong>GOVRAT</strong> <strong>V2.0</strong><br />
ATTACKING US MILITARY AND GOVERNMENT<br />
<strong>GOVRAT</strong> V.2.0 LIFE CYCLE<br />
List of GOV/MIL Employees<br />
@nasa.gov<br />
@army.mil<br />
@navy.mil<br />
Bad Actor GovRAT v.2<br />
“Popopret”<br />
STAGE 1<br />
Bad Actor #2<br />
“PoM”<br />
Spear Phishing<br />
Drive-By Download<br />
USB Flash Drives<br />
Victim<br />
Network Sniffing<br />
Password Collection<br />
.GOV / .MIL<br />
USB Worm<br />
SSH Server<br />
FTP Server<br />
STAGE 2 STAGE 2<br />
STAGE 2<br />
Targeted Infections<br />
Credentials Sniffing<br />
Drive-By Download<br />
Data Exfiltration<br />
19
<strong>GOVRAT</strong> <strong>V2.0</strong><br />
ATTACKING US MILITARY AND GOVERNMENT<br />
The organizations targeted by the GovRAT v2.0 malware primarily conduct their operations in English.<br />
However, several samples with non-English signatures for data exfiltration related to names of the<br />
documents, their security classification, author and additional details have been identified.<br />
In most cases, the bad actors perform two stages of drive-by download attacks. The first stage targets the<br />
initial victim and the second stage targets the server-side compromise (regarding other employees). This<br />
multi-stage approach allows the bad actors to target a broad number of victims, progressing from a single<br />
infection, leading to deeper intrusions into specific organizations and data exfiltration which can include a<br />
variety of record attributes or data elements.<br />
ABOUT INFOARMOR<br />
InfoArmor offers industry-leading identity and cyber intelligence services that<br />
help our clients fight emerging fraud and advanced cyber threats. We combine an<br />
unparalleled global research network with big data analysis, actionable intelligence<br />
and customized service to meet clients’ dynamic security needs. From employee<br />
to enterprise, InfoArmor is redefining how organizations fight fraud and combat an<br />
evolving threat landscape to mitigate risk on multiple levels.<br />
Today, more than 600 businesses and government agencies, including 50 of the<br />
Fortune 500, use PrivacyArmor ® , the industry leading employee identity protection<br />
solution, or VigilanteATI TM , our award-winning advanced threat intelligence platform to<br />
improve their data security posture.<br />
For more information please visit the InfoArmor website at infoarmor.com, or contact<br />
InfoArmor sales at +1 480 302 6701, or email sales at ati@infoarmor.com.<br />
20
800 789 2720 / ATI.INFOARMOR.COM<br />
IAATIHCWP 07 2016