Hackers have infected several US military and other government agencies with a stealthy piece of malware called GovRAT, created specifically for spying on high-value targets.
First discovered in November 2015 by InfoArmor, the GovRAT malware is a remote access trojan (RAT) sold on the Hell forum and TheRealDeal Dark Web marketplace.
The malware coder’s nickname is bestbuy, but after InfoArmor released its first report, he started using and selling the malware under the Popopret nickname as well.
The malware, which was recently updated to v2.0, is very advanced, based on its capabilities. The crook selling it has intentionally named it this way, to target a specific niche of hackers who go after government agencies primarily.
According to a recent listing on TheRealDeal, GovRAT’s price is 2.5740 Bitcoin (~$1,600), but users can also buy access to the malware’s source code for $6,000.
In a recent report, InfoArmor says that Popopret is working together with another hacker named PoM (Peace_of_Mind), who is distributing separately a series of files containing the emails and credentials for various types of accounts used by US military and government agencies.
PoM’s list is comprised of over 33,000 records, with the majority of credentials coming from the US General Services Administration, the US Navy, and several big-name US universities such as USC, Missouri, and the University of Florida. At the time of writing, this listing is not active anymore.
Why is this important? InfoArmor says that a buyer would be encouraged to buy this list because they would need it to spam government officials, in order to distribute the malware as a file attachment, or to lure victims to a website serving GovRAT 2.0 via a drive-by download.
Additionally, InfoArmor says Popopret is also working with sellers of fake digital certificates, sending clients their way so they could sign and hide GovRAT from antivirus engines.