GOVRAT V2.0
Share Embed Flag
Download ePaper

GOVRAT V2.0

GovRat-2-FINAL2 GovRat-2-FINAL2

richreadingbu
from richreadingbu More from this publisher
12.09.2016 Views

GOVRAT V2.0 ATTACKING US MILITARY AND GOVERNMENT GovRAT v2.0 ATTACKING US MILITARY AND GOVERNMENT In November 2015, InfoArmor identified the GovRAT malware that possessed advanced cyberespionage functionalities and documented these findings in the GovRAT Intelligence Report. Research indicated that GovRAT and the bad actors involved were targeting government and military assets. InfoArmor alerted the identified agencies and targets in order to prevent data exfiltration and to collect actual and current IOCs. In mid-May 2016, the primary actor changed his nickname to “popopret” after being profiled by InfoArmor 1 . During this time, his activities were combined with targeted attacks on US government resources, along with active data exfiltration from hacked Web resources with a sizeable number of federal employee contacts. Based on operatively-sourced information and data breach intelligence, the threat actor is working with a highly sophisticated group of cybercriminals that are selling stolen and fake digital certificates for mobile and PC-based malware code-signing, used to bypass modern AV solutions for other possible APT campaigns. 1) GovRAT v.1 - https://www.infoarmor.com/wp-content/uploads/2016/04/Advanced_Persistent_Threats_Code_Signing.pdf 2

GOVRAT V2.0 ATTACKING US MILITARY AND GOVERNMENT GovRAT V.2 FEATURES • Access C&C with any browser. • Compile C&C for Linux OR Windows. • Cannot be reversed without the private key. 0day anti-debugging. • Automatically maps all hard disks and network disks. • Creates a map of files to browse even when the target is offline. • Remote shell/command execution. • Upload files or Upload and Execute files to target. • Download files from target. All files are compressed with LZMA for faster downloads and encrypted on transport. • Customized encryption for communications. No two machines will use the same key (ever). • SSL Support for communication. (you have to get your own *Valid* SSL certificate to use this). • Does not use SOCKS libraries. Uses special Windows APIs to communicate and cannot be blocked. • C&C creates a one-time password every time the user logs in for extra security. • Comes with source for FUD keylogger that sends keys to another server. • Excellent for long term campaigns where a stable connection is needed. UPDATES • %100 FUD Again after Blue Coat discovered the RAT. • Network spreading module (using ARP/MITM to hijack all exe downloads) - turns on and off with 1 click. • Endpoint bypass • 360 bypass ADDITIONAL UPDATES (APRIL 28, 2016) • Browser password dumper (all common browsers) • Mail password dumper (all common all clients) • Cleartext network password sniffer (many modules including http, ftp, imap, pop3, etc...) • Network shares password dumper (saved passwords) • USB spread with 2 options (1. fake shortcut method, 2. DLL Hijacking of common applications based on private list and research) • TOR onion domain support added! COST • $1,000 Gets you basic bin and C&C code (no extra modules) • $1,600 Gets you bin and C&C code (all modules) • $3,000 fGets you basic source code (no modules) • $6,000 Gets you source of everything 3

<strong>GOVRAT</strong> <strong>V2.0</strong><br />

ATTACKING US MILITARY AND GOVERNMENT<br />

GovRAT v2.0<br />

ATTACKING US MILITARY AND GOVERNMENT<br />

In November 2015, InfoArmor identified the GovRAT malware that possessed<br />

advanced cyberespionage functionalities and documented these findings in the<br />

GovRAT Intelligence Report. Research indicated that GovRAT and the bad actors<br />

involved were targeting government and military assets. InfoArmor alerted the<br />

identified agencies and targets in order to prevent data exfiltration and to collect<br />

actual and current IOCs.<br />

In mid-May 2016, the primary actor changed his nickname to “popopret” after being<br />

profiled by InfoArmor 1 . During this time, his activities were combined with targeted<br />

attacks on US government resources, along with active data exfiltration from hacked<br />

Web resources with a sizeable number of federal employee contacts.<br />

Based on operatively-sourced information and data breach intelligence, the threat<br />

actor is working with a highly sophisticated group of cybercriminals that are selling<br />

stolen and fake digital certificates for mobile and PC-based malware code-signing,<br />

used to bypass modern AV solutions for other possible APT campaigns.<br />

1) GovRAT v.1 - https://www.infoarmor.com/wp-content/uploads/2016/04/Advanced_Persistent_Threats_Code_Signing.pdf<br />

2

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!