GovRAT: Digitally signed malware
- By Brian Robinson
- Nov 06, 2015
Want to know just how sophisticated cyberattacks targeting governments are getting? Security company InfoArmor has identified what it says is a new trend, in which vendors in the underground, industrialized malware marketplace are selling digital certificates that can be used for signing malware code.
The whole endeavor is aimed at public key infrastructures in order to insert advanced persistent threat (APT) malware into enterprises, delivering lengthy attacks that can steal vast amounts of data over time.
Stolen or fake digital certificates were found in the Stuxnet worm, and used in many of the recent attacks that have caused major breaches. As InfoArmor sees it, such certificates are now being used to validate the malware, which is called GovRAT. In fact, the malware is bundled with the digital certificates, and the whole package sold on TheRealDealMarket in the Tor network for just over $1,200, according to InfoArmor.
The author of GovRAT actually advertises it as ideal for long-term campaigns such as APTs. Once the malicious agent with digital signature is planted on the victim’s device, InfoArmor said, it bypasses even modern antivirus software, uses the SSL connection for encrypted communications and complicates the traffic enough to screw up any kind of analysis that’s attempted on it.
To date, it seems to have been rather successful. After extracting data from one of the identified GovRAT botnets, InfoArmor said, it found compromised accounts and infected network hosts belonging to employees in the U.S. Army, the Defense Manpower Data Center and the U.S. Marine Corps. Defense subcontractors also seemed to be key targets.
From that, the company believes the attacks are potentially focused on the personal data and credentials of military community members who have access to classified documents and systems such as MarineNet.
Brian Robinson is a freelance technology writer for GCN.