An updated version of a sophisticated piece of malware called GovRat is on sale on the Dark Web, according to cybersecurity firm InfoArmor. GovRat is used to conduct “cyberespionage campaigns” against targets including the US government, and is tough to detect, said InfoArmor. The updated malware now features an additional function to secretly monitor network traffic over the victim’s computer.

“On the identified GovRat v2.0 distribution campaigns, the bad actor is using drive-by download attacks using Angler EK and Nuclear EK,” said Andrew Komarov, chief intelligence officer in a research paper, referencing two well-known exploit kits.

The cybersecurity firm published details on GovRat in November, detailing how it was designed to circumvent antivirus tools through the use of stolen digital certificates. InfoArmor alerted the identified agencies and targets in order to prevent data exfiltration and to collect actual and current IOCs.

In mid-May 2016, the primary actor changed his nickname to “popopret” after being profiled by InfoArmor, the company said.

During this time, his activities were combined with targeted attacks on US government resources, along with active data exfiltration from hacked Web resources with a sizeable number of federal employee contacts.

According to the security Komarov, “the threat actor is working with a highly sophisticated group of cybercriminals that are selling stolen and fake digital certificates for mobile and PC-based malware code-signing, used to bypass modern AV solutions for other possible APT campaigns.”

The malware kit, which has appeared on several Dark Web sites, including The Real Deal, costs between $1,000 and $6,000. On one shady website, the cybercriminal is also selling what he/she claims to be stolen credentials and server access to a number of US government and military groups.

govrat  GovRat 2.0, Malware Targeting U.S. Government and Military Offered on Dark Web govrat 300x116

Malware on Sale on The Real Deal

Buyers of GovRAT have also been supplied with a stolen database of 33,000 Internet accounts, some of which belong to U.S. government employees, according to InfoArmor. It includes email addresses, hashed passwords, full names, and addresses.

Although the security firm declined to name how many U.S. government agencies have been attacked with GovRAT, its report said they include defense and military departments.