GovRAT 2.0 continues to target US companies and Government

Pierluigi Paganini September 13, 2016

Vxers developed a new version of GovRAT, called GovRAT, that has been used to target government and many other organizations in the US.

GovRAT is an old cyberespionage tool, it has been in the wild since 2014 and it was used by various threat actors across the years.

Security experts from the threat intelligence company InfoArmor first spotted the malware in 2015.

GovRAT a hacking platform that allows the malware creation, it comes bundled with digital certificates for code signing. The same digital certificates were initially offered for sale on the black marketplace TheRealDeal Market hosted on the Tor network. In 2015, GovRAT was offered for sale at 1.25 Bitcoin, but experts observed the creator also offering it is private sales.

GovRAT Digital certificates

The GovRAT tool digitally signs malicious code with code-signing tools such as Microsoft SignTool, WinTrust, and Authenticode technology. The experts consider that final customer for GovRAT are APT groups targeting political, diplomatic and military employees of more than 15 governments worldwide.

The author of the GovRAT who goes online with the moniker “bestbuy” had been offering the its source code, including a code-signing digital certificate, for nearly 4.5 Bitcoin on the TheRealDeal black market.

The availability of source code in the wild allows anyone to modify the source code and improve it, and it is what is happening with the GovRAT 2.0.

Vxers recently released a new version of the RAT, so-called GovRAT 2.0 that has been used by hackers to target the US Government and other organizations in the country.


After the first report published by InfoArmor, Bestbuy started using also the moniker “Popopret.”

The RAT was delivery through spear-phishing and drive-by downloads attacks. Among the victims government and military organizations. Stolen data from military organizations were also offered for sale on the black market.

The new strain of GovRAT 2.0 includes several new features, including improved detection evasion methods, remote command execution, automatically mapping hard disks and network shares.

According to experts from InfoArmor, government and military agencies have been increasingly targeted by threat actors leveraging the threat.

Below the complete list of features introduced in the GovRAT 2.0 reported in the report “GOVRAT V2.0 ATTACKING US MILITARY AND GOVERNMENT” published by InfoArmor.

  • Access C&C with any browser.
  • Compile C&C for Linux OR Windows.
  • Cannot be reversed without the private key. 0day anti-debugging.
  • Automatically maps all hard disks and network disks.
  • Creates a map of files to browse even when the target is offline.
  • Remote shell/command execution.
  • Upload files or Upload and Execute files to target.
  • Download files from target. All files are compressed with LZMA for faster downloads and encrypted on transport.
  • Customized encryption for communications. No two machines will use the same key (ever).
  • SSL Support for communication. (you have to get your own *Valid* SSL certificate to use this).
  • Does not use SOCKS libraries. Uses special Windows APIs to communicate and cannot be blocked.
  • C&C creates a one-time password every time the user logs in for extra security.
  • Comes with source for FUD keylogger that sends keys to another server.
  • Excellent for long term campaigns where a stable connection is needed.

Another interesting feature implemented by the malware is its ability to spread via USB devices and network shares like a worm.

The prices range from $1,000 for basic binary and the code for the command and control, up to $6,000 for a complete package that includes the source code of every component of the malicious infrastructure and the extra modules.

Security experts have discovered several offers for credentials for many U.S. government domains, including,,,, and, and domains related to the U.S. military, such as,, and

“On one of the underground communities in the TOR network, the same bad actor is selling compromised credentials relating to FTP servers of various US Government entities” reads the report. “In addition to, and, the bad actor is selling several credentials for subdomains at and”

The credentials have also been used multiple GovRAT 2.0 attacks, experts also observed the use of other 33,000 credentials stolen from US government, research and educational organizations provided by the malware creator by the hacker known as “PoM,” aka Peace_of_Mind or Peace.

“There is another bad actor identified as “PoM,” who is a partner of popopret, and is selling 33,000 records with credentials related to the US Government and various research and educational organizations.” reads the report. “In the post description, he outlines that the data was hashed but he was able to decrypt it and can potentially use it for “accessing other agencies,” as well as for use in SE (social engineering) and spear phishing campaigns. PoM provides the stolen data of government and military employees to other actors using GovRAT v2.0 for highly targeted malware delivery. After a thorough analysis, it was determined that most of this data was accessed from the hacked National Institute of Building Sciences ( website. It contains numerous members from the research, educational, government and military community. “

For more details on GovRAT 2.0, give a look at the report published by InfoArmor.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – GovRAT 2.0, malware)

you might also like

leave a comment