GovRAT. Its very name sounds nefarious. Seemingly to have been specifically designed to infiltrate government and corporate systems, this malware has been causing headaches for months. To make matters worse it has been upgraded as of late. Like the very creature it was named after, version 2.0 is a nasty piece of coding ramping up its already potent ability to dig through computers and steal data.
GovRATs success is mainly due to its ability slip through a system antivirus protocols. Like an adept thief in the night, GovRAT first steal digital certificates, then cloaks itself with them. Now looking like a credible piece of data, the malware is then allowed through the antivirus wall, and voila! Once in the system, GovRAT can wreak all sorts of havoc. Data dumps, selective file downloads, remote command executions, and even unauthorised uploads of, what else, even more malware. This is perhaps a company or a government agencies worst nightmare come to life; the unfettered access to their systems by a malicious entity.
As was previously mentioned, GovRAT version 2.0 is a nasty piece of work. It was upgraded and now has the ability to lurk (according to security firms that have studied its code and effects). 2.0 not only grants cybercriminals access to their victims systems but they can now lie in wait and monitor the network traffic of their system. This may seem less dangerous or less profitable than stealing data and information, but it’s just the exact opposite. Victims who have no idea that their systems have been compromised would just go about their day, doing their work as usual. Unbeknownst to them there is another set of eyes looking at every email, chat, download, upload and interaction they have within their computer, silently recording and harvesting information as it comes. Compare that with a user who notices that a file has been stolen, they will then flag the action, stop using the system and bring it in to their IT department to be fixed or destroyed. Cybercriminals value the continuous transfer of data more than a single file or folder.
These types of cybercriminals deal in information and hawk their wares on the black market. It is estimated that some 33,000 user accounts, which includes those from U.S. Government employees, have been successfully traded on the black market. The accounts contain names, addresses, email addresses, login credentials and decrypted passwords. As if that wasn’t bad enough, it seems that the attackers have been using the stolen information to spread GovRAT to other government branches, systems and computers using traditional phishing emails or automatic downloads, also known as drive-by downloads. The truly scary part is that certain departments of the U.S. military and defense have been confirmed victims of GovRAT.
To this day the author of the GovRAT malware remains nameless and faceless. No individual or group has claimed responsibility for the cyberattacks. Indeed, very little is known about the origins of GovRAT itself. It was as if it just appeared out of thin air like a terrible ghost that will be haunting the sleep of IT managers everywhere. However, one thing is for certain. Whoever designed GovRAT is had the long game in mind. Analysis of its code and behavior indicates that it was developed to spy on systems for very long periods of time, likely spanning months and even years.