An advanced strain of malware called GovRat, reportedly used to conduct "cyberespionage campaigns" against targets including the US government, has been found to be in circulation on the Dark Web, according to cybersecurity firm InfoArmor.
The evolved version of GovRat, which builds on a piece of malware first exposed in November last year, can be used by hackers to infiltrate a victim's computer, remotely steal files, upload malware or compromise usernames and passwords.
The cybercriminal responsible for selling GovRat is allegedly working with a "highly sophisticated" group of hackers known to sell stolen and fake digital certificates that can be used to bypass modern antivirus products.
"On the identified GovRat v2.0 distribution campaigns, the bad actor is using drive-by download attacks using Angler EK and Nuclear EK," stated Andrew Komarov, chief intelligence officer in a research paper, referencing two well-known exploit kits.
"GovRat v2 has a fairly advanced network password sniffer and password dumper that is used for further data exfiltration and is spreading via available network resources and connected external devices, such as USB flash drives," he continued. "The bad actor has created their own botnet and collected a significant amount of compromised data."
The malware kit, which has popped up on a number of underground websites including The Real Deal, costs between $1,000 and $6,000. On one illicit website, the cybercriminal is also selling what purports to be stolen credentials and server access to a number of US government and military groups.
The main targets of GovRat version 2.0 – which boasts enhanced anonymity features and network sniffers – are government agencies and scientific research groups, Komarov explained. The previous iteration of the malware mainly targeted IT and educational organisations.
According to an in-depth research paper, the number of GovRat victims is continuing to escalate as the malware is being sold to other hackers on the Dark Web – largely being offered by "key members" of a secretive forum called Hell.
"Several of these individuals are known as professional hackers for hire," Komarov explained. He cited one name as ROR [RG] – a notorious hacker who previously targeted Ashley Madison, AdultFriendFinder and the Turkish General Directorate of Security (EGM).
Despite InfoAmor, claiming on numerous occasions that GovRat was being used in sophisticated cyberespionage campaigns, no evidence has been offered that links these specific hackers to advanced persistent threat (APT) or nation state activity.
According to the cybersecurity firm, the primary culprit behind GovRat is called "popopret" – a hacker who has in the past used the pseudonym "bestbuy". The research paper states the hacker has targeted "a sizeable number" of federal staffers.
Working alongside "popopret" is another adversary dubbed "PoM," the paper notes. This hacker – also using alias, The Real Deal – is reportedly selling access to over 30,000 records pilfered from the US government, research groups and educational organisations.
These credentials were tested by the security firm and found to contain email addresses, home addresses, real names and hashed passwords. While InfoArmor claims to have alerted the compromised government departments, Komarov has declined to name exactly how many entities were attacked with GovRat.