GovRAT is a trojan that exploits vulnerabilities in the Windows OS and was designed to target US military and government agencies using sophisticated cyberespionage capabilities. The first version was discovered for sale on a dark web marketplace in November 2015 for the price of 4.5 Bitcoin. Recently, the developer began offering a second version of the malware, GovRAT 2.0, for sale on a dark web forum. GovRAT 2.0 includes anti-debugging and detection evasion features, the ability to automatically map hard drives and network shares, file transfer and remote code execution capabilities, a keylogger, Tor support, and the ability to sniff network passwords. It also acts as a worm, copying itself to connected external drives, such as USB flash drives, in order to spread the infection to other systems. In most cases, GovRAT 2.0 attacks take place via drive-by download and server-side compromise. The basic binaries and C2 code for GovRAT 2.0 are for sale on the dark web for the price of $1,000 USD and the entire software package, including the source code, costs $6,000 USD.
- November 2015: Security experts at InfoArmor discovered GovRAT, a trojan offered to APT groups on the dark web. (Security Affairs)
- September 2016: InfoArmor published a full report on GovRAT 2.0. Sold on Dark Web cybercrime forums by a hacker or hackers who go by the nicknames "BestBuy" and “Popopret,” and targets U.S. military and government agencies. (InfoArmor)
- July 2017: The hacker or hackers responsible for GovRAT may be linked to the perpetrator(s) who controlled the Mirai botnet that targeted Deutsche Telekom. (KrebsOnSecurity)