Dive Brief:
- A highly sophisticated group of cybercriminals has been targeting military and government networks with malware that contains "advanced cyberespionage functionalities," according to security company InfoArmor.
- The company says it identified GovRAT malware in November 2015 and recently published a report on its findings. The lifecycle of the malware focuses on reconnaissance, an actual build of the malware and then two different stages of attacks, including "drive-bys" and network shares.
- In May of this year, one of the primary attackers changed their name to "popopret" after being profiled by InfoArmor. The firm said popopret's activities "combined with targeted attacks on U.S. government resources, along with active data exfiltration from hacked Web resources with a sizeable number of federal employee contacts."
Dive Insight:
Malware has exploded this year, and cybercriminals are growing more sophisticated and savvy, able to beat even some of the very best protection systems. But in particular, many are focusing their cybercrime on specific sectors or personnel. Taking a targeted approach toward hacking should not come as a surprise, as different parties have varying agendas when it comes to cybercrime.
Though researchers have found GovRAT in the tech organizations, scientific research and the education sector, it is most prevalent in government agencies.
Popopret is working with a "sophisticated group of cybercriminals that are selling stolen and fake digital certificates for mobile and PC-based malware code-signing, used to bypass modern AV solutions for other possible APT campaigns," according to InfoArmor. The malicious actor is selling data from both NASA and the U.S. Navy, in additional to data from other federal agencies.