GovRAT is a malware creation tool that comes bundled with digital certificates for code signing initially sold through TheRealDeal Market, an underground marketplace on the so-called dark net that’s only accessible using TOR.
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Dark-Web Cottage Industry - GovRAT
1. DARK-WEB COTTAGE INDUSTRY - GOVRAT
ABU AYUB ANSARI, SYED
11TH NOV 2015
UNIVERSITY OF TEXAS AT ARLINGTON
2. COTTAGE-INDUSTRY BUSINESS
• Reselling digital certificates that allow code-signing of malware code.
• Stolen or fake digital certificates are used to validate the malware, GovRAT
• Ideal for long-term campaigns.
• Pretty specific niche of modern underground market.
3. GOVRAT
• Intro:
• "Malware-Signing-as-a-Service"
• Malware creation tool + Digital certificates + Code-signing.
• Provides the assurance that the software is from a legitimate source.
• Stolen Certificates from: Comodo, Thawte DigiCert and GoDaddy.
• Exploit:
• Many protection mechanisms check for the digital certificate and stop
investigating the software beyond this.
• Best for:
• sacrifice automation for stealthier attacks .
4. GOVRAT
• Working:
• Use Stolen / Fake / bought from reseller Digital Certificate.
• Microsoft Sign Tool, WinTrust, Authenticode technology to digitally sign.
• Can communicate over SSL.
• Advanced persistent threat (APT).
• Self-encryption and anti-debugging tools.
• Available @:
• TheRealDealMarket in the TOR network for just over $1,200, now privately
• Victims:
• 15 Govts, 7 banks, 30 defense contractors and over 100 corporations.
5.
6. PREVENTIONS:
• Rely on a defense-in-depth.
• Monitoring the list of both signed and unsigned software.