In November 2015, InfoArmor identified the GovRAT malware that possessed advanced cyberespionage functionalities and documented these findings in the GovRAT Intelligence Report. Research indicated that GovRAT and the bad actors involved were targeting government and military assets. InfoArmor alerted the identified agencies and targets in order to prevent data exfiltration and to collect actual and current IOCs.
In mid-May 2016, the primary actor changed his nickname to “popopret” after being profiled by InfoArmor. During this time, his activities were combined with targeted attacks on US government resources, along with active data exfiltration from hacked Web resources with a sizeable number of federal employee contacts.
Based on operatively-sourced information and data breach intelligence, the threat actor is working with a highly sophisticated group of cybercriminals that are selling stolen and fake digital certificates for mobile and PC-based malware code-signing, used to bypass modern AV solutions for other possible APT campaigns.
Click here to download the Intelligence Report – GovRAT 2.0 Attacking US Military and Government.