GovRAT, the malware-signing-as-a-service platform in the underground

Pierluigi Paganini November 04, 2015

Security Experts at InfoArmor discovered GovRAT, a malware-signing-as-a-service platform that is offered to APT groups in the underground.

In the past, I have explained why digital certificates are so attractive for crooks and intelligence agencies, one of the most interesting uses is the signature of malware code in order to fool antivirus. Naturally, digital certificates are becoming a precious commodity in the underground ecosystem, many operators in the black markets started this lucrative business.

A few weeks ago experts at IBM Security X-Force  observed the offer of certificates in the Dark Web with a model of sale they called CaaS (Certificates as a service). Cybercriminals would use the Dark Web for selling high-grade code certificates -which they have obtained from trusted certificate authorities- to anyone that is interested in purchasing them.

The sale of code signing certificates has increased considerably over the past few months, a trend confirmed also by a recent research analysis conducted by  the threat intelligence firm InfoArmor.

The research has given rise to a case in which a hacker tricked a legitimate certificate authority into issuing digital certificates for malware before offering a cyber-espionage tool called GovRAT.

GovRAT a hacking platform that allows the malware creation, it comes bundled with digital certificates for code signing. The same digital certificates were initially offered for sale on the black marketplace TheRealDeal Market hosted on the Tor network. GovRAT was offered for sale at 1.25 Bitcoin, but experts observed the creator is now selling it privately.

GovRAT Digital certificates

The GovRAT tool digitally signs malicious code with code-signing tools such as Microsoft SignTool, WinTrust, and Authenticode technology. The experts consider that final customer for GovRAT are APT groups targeting political, diplomatic and military employees of more than 15 governments worldwide.

The strains of malware analyzed by the researchers at InfoArmor were signed individually with different digital certificates.

InfoArmor reported also that seven banks, some in the US, and 30 defence contractors have also been targeted by the GovRAT.  It has been estimated that more than 100 organizations have been hit by malware created by the GovRAT platform since early 2014.

Which is the price for code-signing digital certificates?

Experts at InfoArmor found the precious commodities on many underground black markets, they are offered for sale at a price between $600-$900 depending on the CA that issued them. It is quite easy to find code-signing digital certificates issued by Comodo, GoDaddy and Thawte. It is clear that digital certificates could be revoked by the CA, but as explained by numerous sellers the event is rare and often companies are very slow in invalidating them.

“[The buyers are] blackhats (mostly state-sponsored), malware developers,” Andrew Komarov, CIO at InfoArmor, told El Reg. “It is pretty professional audience, as typical script kiddies and cybercriminals don’t need such stuff. It is used in APTs, organised for targeted and stealth attacks. The appearance of such services on the blackmarket allow [hackers] to perform them much more easily, rather like Stuxnet.” “It is a pretty specific niche of modern underground market,” “It can’t be very big, as the number of certificates is pretty limited, and it is not easy to buy them, but according to our statistics, the number of such services is significantly growing.”

Stolen or fake certificates are a prerogative of state-sponsored attacks, they were used in numerous offensives including the Stuxnet and the Sony hack, the experts explained that cyber criminals are gaining digital certificates through resellers.

“Bad actors buy digital certificates through resellers, where the due diligence of customers is pretty poor,” Komarov explained. “They provide fake names, or fake information about the author and purpose on why they need this certificate, and receive it. After they have received such certificates, they trade it on the blackmarket for malware developers, allowing them to create signed malware for further APT in several minutes.”

InfoArmor reported the case of, a website offering malware-signing-as-a-service with prepared digital certificates.    One such service ran from a website called before the domain was suspended.

Let me suggest reading the report on GovRAT published by InfoArmor.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – GovRAT, code-signing digital certificates)

you might also like

leave a comment