GOVRAT V2.0

GOVRAT V2.0 

ATTACKING US MILITARY AND GOVERNMENT 

BY ANDREW KOMAROV 

CHIEF INTELLIGENCE OFFICER 

INFOARMOR, INC.



GovRAT v2.0 


In November 2015, InfoArmor identified the GovRAT malware that possessed 

advanced cyberespionage functionalities and documented these findings in the 

GovRAT Intelligence Report. Research indicated that GovRAT and the bad actors 

involved were targeting government and military assets. InfoArmor alerted the 

identified agencies and targets in order to prevent data exfiltration and to collect 

actual and current IOCs. 

In mid-May 2016, the primary actor changed his nickname to “popopret” after being 

profiled by InfoArmor 1 . During this time, his activities were combined with targeted 

attacks on US government resources, along with active data exfiltration from hacked 

Web resources with a sizeable number of federal employee contacts. 

Based on operatively-sourced information and data breach intelligence, the threat 

actor is working with a highly sophisticated group of cybercriminals that are selling 

stolen and fake digital certificates for mobile and PC-based malware code-signing, 

used to bypass modern AV solutions for other possible APT campaigns. 

1) GovRAT v.1 - https://www.infoarmor.com/wp-content/uploads/2016/04/Advanced_Persistent_Threats_Code_Signing.pdf 

2



GovRAT V.2 FEATURES 

• Access C&C with any browser. 

• Compile C&C for Linux OR Windows. 

• Cannot be reversed without the private 

key. 0day anti-debugging. 

• Automatically maps all hard disks and 

network disks. 

• Creates a map of files to browse even 

when the target is offline. 

• Remote shell/command execution. 

• Upload files or Upload and Execute 

files to target. 

• Download files from target. All files 

are compressed with LZMA for 

faster downloads and encrypted on 

transport. 

• Customized encryption for 

communications. No two machines will 

use the same key (ever). 

• SSL Support for communication. (you 

have to get your own *Valid* SSL 

certificate to use this). 

• Does not use SOCKS libraries. Uses 

special Windows APIs to communicate 

and cannot be blocked. 

• C&C creates a one-time password 

every time the user logs in for extra 

security. 

• Comes with source for FUD keylogger 

that sends keys to another server. 

• Excellent for long term campaigns 

where a stable connection is needed. 

UPDATES 

• %100 FUD Again after Blue Coat 

discovered the RAT. 

• Network spreading module 

(using ARP/MITM to hijack all exe 

downloads) - turns on and off 

with 1 click. 

• Endpoint bypass 

• 360 bypass 

ADDITIONAL UPDATES 

(APRIL 28, 2016) 

• Browser password dumper 

(all common browsers) 

• Mail password dumper 

(all common all clients) 

• Cleartext network password sniffer 

(many modules including http, ftp, 

imap, pop3, etc...) 

• Network shares password dumper 

(saved passwords) 

• USB spread with 2 options 

(1. fake shortcut method, 2. DLL 

Hijacking of common applications 

based on private list and research) 

• TOR onion domain support added! 

COST 

• $1,000 

Gets you basic bin and C&C code 

(no extra modules) 

• $1,600 

Gets you bin and C&C code 

(all modules) 

• $3,000 

fGets you basic source code 

(no modules) 

• $6,000 

Gets you source of everything 

3



THE LIFECYCLE OF GOVRAT V.2 

Reconnaissance 

• Contact Gathering 

• WEB-apps 

Malware Build 

• Agent-based 

• Signed Code 

• LPE Exploit 

Stage 1 - Infection 

Attack Vectors 

• Drive-by (RIG 3.0 + 

Neutrino) 

Stage 2 - Worm 

Attack Vectors 

• Network Shares 

• USB Flash 

In the closed underground forum, “Hell Forum” on the TOR network, the bad actor is still 

using his old nickname “bestbuy,” has VIP status, and is selling a variety of tools for cyber 

espionage campaigns using the same alias, along with several new nicknames on “The 

Real Deal Market.” 

This link was used as one of the key elements in the attribution of this bad actor: 

Some of the bad actor’s posts in the same marketplace are still being published on behalf of bestbuy. GovRAT v2 has a fairly 

advanced network password sniffer and password dumper that is used for further data exfiltration and is spreading via available 

network resources and connected external devices, such as USB flash drives (worm feature). 

4



WHAT IS THE “HELL FORUM”? 

According to our sources, on June 17, 2015, 33 year-old “Ping,”, a former owner of the “Hell 

Forum,” was arrested. He was mentioned in a number of media reports from the Calgary 

Police Department and the story was covered by the Calgary Herald. The arrest was 

announced just days after Fox News quoted a security researcher about the suspected 

OPM data on the Hell Forum. According to closed sources, Ping was also responsible for 

hacking into another federal system in 2013.. 

In January 2016, the underground forum reemerged with new administrators. The forum improved the procedure for inviting new 

members by implementing an internal vouching system. 

One of the posts was quoted as follows: 

“Don’t worry about anything regarding LE [law enforcement], NSA and others. If you suspect anyone to be LE please let us know 

so that we can take proper action against them since this is not a place for them.” 

At present, Hell Forum is one of the tightest and most closed underground communities in the TOR network, where serious 

cybercriminals exchange information about data leaks, new vulnerabilities and private tools for sale. 

The group under investigation is based on key members of “Hell Forum.” Several of these individuals are known as professional 

hackers for hire, such as ROR[RG], who previously hacked Ashley Madison and AdultFriendFinder. He also stole the personal 

information of 72,000,000 Turkish citizens from MERNİS (Turkey’s citizenship number system), and claimed to have 17.8GB of data 

from a Turkish Police server, supposedly stolen from the Turkish General Directorate of Security (EGM). 

5



FOCUS BY INDUSTRY 

The statistics below represent the number of identified campaigns, by industry, against 

various organizations using GovRAT v1.0 and GovRAT v2.0 in 2015 and 2016, respectively. 

The dynamics of growth show an extreme interest in hi-tech, scientific and federal sectors. 

The trend is also very visible regarding defense and military employees: 

10 

7.5 

5 

2.5 

0 

Information Technology Scientific Research Educational Organizations Government Agencies 

2015 (GovRAT v.1 2016 (GovRAT v.2 

6



The functionality of some versions allows the extraction of SSH keys from the compromised 

hosts, along with access credentials. The SSHDROP backdoor is an illustrative example of 

the tool used by GovRAT v2.0 bad actors for stealthy, long-term sniffing of SSH credentials 

for information collection about other users who may have different access privileges on 

the same host. 

7



On one of the underground communities in the TOR network, the same bad actor is selling 

compromised credentials relating to FTP servers of various US Government entities. 

8



In addition to NOAA.gov, USPS.gov and CDG.gov, the bad actor is selling several credentials 

for subdomains at JPL.NASA.gov and NAVY.mil: 

9



According to this post, the bad actor has six FTP accounts for different subdomains related 

to NAVY.mil: 

10



In the identified GovRAT v2.0 distribution campaigns, the bad actor is actively using driveby 

download attacks 2 using Angler EK (“XXX”) and Nuclear EK. Using drive-by-download 

attacks, the bad actor has created their own botnet and collected a significant amount of 

compromised data that includes credentials to network resources. 

2) A drive-by download refers to the unintentional download of a virus or malicious software (malware) onto your computer or mobile device. 

11



There is another bad actor identified as “PoM,” who is a partner of popopret, and is selling 

33,000 records with credentials related to the US Government and various research and 

educational organizations. 

12



In the post description, he outlines that the data was hashed but he was able to decrypt it and can 

potentially use it for “accessing other agencies,” as well as for use in SE (social engineering) and spear 

phishing campaigns. PoM provides the stolen data of government and military employees to other actors 

using GovRAT v2.0 for highly targeted malware delivery. 

After a thorough analysis, it was determined that most of this data was accessed from the hacked National 

Institute of Building Sciences (http://www.nibs.org/) website. It contains numerous members from the 

research, educational, government and military community. 

13



InfoArmor has acquired the breached data for further analysis and risk mitigation. This database has over 

33,000 users and their contact information from various government, military and educational organizations, 

along with stored passwords in hashed form. 

Each password has been hashed using several rounds. Brief analysis showed that the bad actors could 

decrypt the hash and use the recovered password information for further hacking attempts. 

14



In one of the files obtained from the bad actors, there was a comment related to the 

analysis of authentication mechanisms used in various government Web-resources for 

remote access. The bad actor noted that not all of the accounts require an RSA SecureID or 

external hardware token, making the collected compromised data extremely useful. And if 

the victim is using the same password, it might be possible to execute a successful login. 

The bad actors also outlined that in some cases military Web applications require the use of a specific proxy. In these cases, 

they organize reverse proxies 3 on the victims in order to access sensitive resources from the same network pool and even IP 

addresses. 

3) A back-connect or reverse proxy server is a type of proxy server that typically sits behind the firewall in a private network and directs client requests 

to the appropriate backend server (C&C on the cybercriminal’s side). 

15



DISTRIBUTION OF EXTRACTED CREDENTIALS BY DOMAIN NAME: .gov: 

gsa.gov – 44% (.44305) 

faa.gov – 3% (.03318) 

bop.gov – 2% (.02058) 

va.gov – 8% (.08273) 

gsa.gov – 44% (.44305) 

nasa.gov – 5% (.04955) 

va.gov – 8% (.08273) 

nps.gov – 4% (.04200) 

nasa.gov – 5% (.04955) 

state.gov – 3% (.02730) 

faa.gov – 3% (.03318) 

ee.doe.gov - 2% (.02394) 

Other .gov – 25% (.2500) 

fws.gov – 2% (.02394) 

epa.gov – 2% (.01764) 

state.gov – 3% (.02730) 

ee.doe.gov - 2% (.02394) 

bo 

epa 

Oth 

nps.gov – 4% (.04200) 

fws.gov – 2% (.02394) 

16



DISTRIBUTION OF EXTRACTED CREDENTIALS BY DOMAIN NAME: .mil: 

navy.mil – 25% 

mail.mil – 19% 

navy.mil – 25% 

mail.mil – 19% 

usace.army.mil – 18% 

us.af.mil – 15% 

usace.army.mil – 18% 

us.army.mil – 5% 

usmc.mil – 4% 

us.army.mil – 5% 

Other.mil – 14% 

usmc.mil – 4% 

Other.mil – 14% 

us.af.mil – 15% 

17



DISTRIBUTION OF EXTRACTED CREDENTIALS BY DOMAIN NAME: .edu: 

usc.edu – 17% 

bsu.edu - 3% 

cnm.edu – 2% 

mail.missouri.edu – 16% 

usc.edu – 17% 

ufl.edu – 4% 

farmingdale.edu - 3% 

si.edu - 3% 

bsu.edu - 3% 

Illinois.edu – 2% 

umich.edu -2% 

cn 

mail.missouri.edu ilstu.edu – 4% – 16% 

taliesin.edu – 2% 

farmingdale.edu - 3% 

Other.edu – 36% 

Illi 

vt.edu – 4% 

ufl.edu – 4% 

alumn.mit.edu – 2% 

si.edu - 3% 

um 

ilstu.edu – 4% 

taliesin.edu – 2% 

18 

Ot



GOVRAT V.2.0 LIFE CYCLE 

List of GOV/MIL Employees 

@nasa.gov 

@army.mil 

@navy.mil 

Bad Actor GovRAT v.2 

“Popopret” 

STAGE 1 

Bad Actor #2 

“PoM” 

Spear Phishing 

Drive-By Download 

USB Flash Drives 

Victim 

Network Sniffing 

Password Collection 

.GOV / .MIL 

USB Worm 

SSH Server 

FTP Server 

STAGE 2 STAGE 2 

STAGE 2 

Targeted Infections 

Credentials Sniffing 

Drive-By Download 

Data Exfiltration 

19



The organizations targeted by the GovRAT v2.0 malware primarily conduct their operations in English. 

However, several samples with non-English signatures for data exfiltration related to names of the 

documents, their security classification, author and additional details have been identified. 

In most cases, the bad actors perform two stages of drive-by download attacks. The first stage targets the 

initial victim and the second stage targets the server-side compromise (regarding other employees). This 

multi-stage approach allows the bad actors to target a broad number of victims, progressing from a single 

infection, leading to deeper intrusions into specific organizations and data exfiltration which can include a 

variety of record attributes or data elements. 

ABOUT INFOARMOR 

InfoArmor offers industry-leading identity and cyber intelligence services that 

help our clients fight emerging fraud and advanced cyber threats. We combine an 

unparalleled global research network with big data analysis, actionable intelligence 

and customized service to meet clients’ dynamic security needs. From employee 

to enterprise, InfoArmor is redefining how organizations fight fraud and combat an 

evolving threat landscape to mitigate risk on multiple levels. 

Today, more than 600 businesses and government agencies, including 50 of the 

Fortune 500, use PrivacyArmor ® , the industry leading employee identity protection 

solution, or VigilanteATI TM , our award-winning advanced threat intelligence platform to 

improve their data security posture. 

For more information please visit the InfoArmor website at infoarmor.com, or contact 

InfoArmor sales at +1 480 302 6701, or email sales at ati@infoarmor.com. 

20

800 789 2720 / ATI.INFOARMOR.COM 

IAATIHCWP 07 2016

GOVRAT V2.0

Create successful ePaper yourself

Delete template?

Save as template?