Laboratorios de Blue Coat

Labs Blog

GovRAT, the BITS-talking backdoor

GovRAT, the BITS-talking backdoor

Snorre Fagerland


In November 2015 the security outfit InfoArmor published a report about a remote access trojan creation/signing service - GovRAT - being sold in the underground "TheRealDeal" forum. The ad was still up at time of writing, as shown below. Apologies for the color scheme - not one I would have chosen.



The report contained malware hashes, but we were unable to find any of these in any of our sources. However, it mentioned specific traffic patterns and the name of a code signing certificate used - "Open Source Developer, SINGH ADITYA".

We found a sample matching this description in our certificate database with the SHA-256 hash 358e170f91da4eed7498aae705578941e0028936ac2ca741389f4ed081251080. This sample had at the time of writing fairly low detection on VirusTotal.

This executable is built with Visual Studio 2010 and packed using UPX, but is otherwise not obfuscated. When run, the trojan installs itself into an unobstrusive location - typically to %APPDATA%\Roaming\Microsoft\Internet Explorer\reader_sl.exe. Persistence is achieved by placing a *.LNK file pointing to the executable in the user's startup folder. All key parameters are hardcoded into the malware itself, such as the installation location, file names, and command & control server address.

Based on the indicators from the initial file, we were able to find a number of other files that were related. Most of these were indeed digitally signed. Other certificates we found used with GovRAT samples were (Subject, Issuer, Serial):

COMODO RSA Code Signing CA ‎

AFINA Fintek
COMODO RSA Code Signing CA

Open Source Developer, Singh Aditya
Certum Level III CA

COMODO RSA Code Signing CA

Open Source Developer, Muhammad Lee
Certum Level III CA

Open Source Developer, BHARATH KUCHANGI
Certum Level III CA

Open Source Developer, Marc Chapon
Certum Level III CA

AMO-K Limited Liability Company
COMODO RSA Code Signing CA



These samples are of slightly different generations - some include encrypted strings, others do not. The earliest sample we could find has a compile date of July 1, 2014; someone submitted it to VirusTotal the same day.  The latest sample we have is timestamped Sept 29, 2015. 
As mentioned in the InfoArmor report, all samples check for the hard drive volume serial number as means of sandbox evasion. The July 2014 sample, for example, compares the volume serial number of the hard drive against a list of 10 serial numbers known to be used by publicly-available or commercial sandbox tools. The most recent sample checks for 11, which means only one new serial number was added in a little more than a year. This is not very impressive as evasion maintenances go.

If the malware detects one of the known serial numbers in use, it quits immediately. This use of a simple blacklist is fairly rudimentary, and the fact it’s hardcoded means that anyone who can modify the serial number(s) used in virtual hard drives can evade this evasion technique.



GovRAT does check its own Authenticode signature through a call to the Windows API WinverifyTrust:

The API is called with the pgActionID GUID parameter {00AAC56B-CD44-11d0-8CC2-00C04FC295EE} - also known as WINTRUST_ACTION_GENERIC_VERIFY_V2. With these inputdata this API returns the Authenticode verification status of the file object requested, in this case, the malware file itself. This status is communicated back to the bot operator as a character code in the initial C&C checkin.


Whatever evasion methods contained in these backdoors, they run fine in the BlueCoat Malware Analyzer application, and are behaviorally noisy enough to identify with ease.



BITS communication


The ad for GovRAT says that it uses “secret Windows APIs to communicate”. By that, the author refers to the Background Intelligent Transfer Service, also known as BITS. BITS is a service present on any Windows OS from Windows 2000 and upwards. It facilitates resource effective file transfers between machines, and is typically used by Windows Update. However, it also exposes a COM API which non-Windows processes can make use of.  By using BITS, one does not have to bother with the details of managing a TCP connection or creating HTTP headers, as all that is handled by the service. GovRAT uses just this for networking, and this is the reason why GovRAT traffic (as mentioned in the InfoArmor report) contains the UserAgent string “Microsoft BITS/7.5”. This may vary depending on which BITS version the malware has access to, however.

BITS is also a protocol which is normally assumed to be legitimate and allowed through firewalls, and it supports SSL out of the box – all these are features touted by the GovRAT  author.

The use of BITS for malicious purposes is however neither secret nor new. It’s been used by various malware since at least 2007. One interesting aspect of the GovRAT use of BITS is that it deliberately cancels BITS transfer jobs where the job description starts with “bpcd” which is not already in transfer. It is our assumption that these canceled jobs are related to a backup service, but maybe the you peope in the online community knows more about this?
The rationale for this action is not evident – it is something more reminiscent of ransomware activity than surveillance – but perhaps the author simply thought to remove some of the blocking jobs and competition for the bandwith.

At the initial connect to C&C, the sample posts username, Windows version, whether the user is Administrator (denoted by an “!” character), whether the executable has a valid Authenticode signature (denoted by an "~" character), and disk volume serial to the remote host.



The volume serial is later used as part of the encryption scheme for sending commands to the client. GovRAT also defines BITS callbacks to monitor the transfer status of its jobs.


Backdoor capabilities


Commands supported by GovRAT include:

GET : Download a file
PUT : Upload a file
DIR : List directory
DAE : Download And Execute
DEL : Delete file
SLP : Sleep
RNS : Resend initial data
RUN : Run program



Command-and-control infrastructure

Given that GovRAT is being sold as a kit on the Dark Web, we expected to find multiple command and control infrastructures in place. This turned out not to be the case. The C2 servers we found followed similar domain name patterns, resided on the same IP ranges and shared the same dubious history.

The following C&C domains were found in the known GovRAT samples:



In addition, the infrastructure overlaps closely with previously known criminal activity revolving around DDOS and malicious Bitcoin mining. Several toolsets have been observed either downloaded from these machines or calling back to these machines, such as:

Linux/Tsunami, a DDOS bot
Linux/Mayhem bots
IRC-controlled DDOS bots based on Perl2Exe

The main hub for this other activity is This masquerades as a DynDNS domain, but appears not to be.



Overview of the GovRAT infrastructure and related connections


We do not know with certainty that the same person(s) behind GovRAT are behind the other criminal activity emanating from this infrastructure. However, it is a fair assumption that they are affiliated somehow, or at least know each other.


It’s official: You really can’t trust criminals

Blue Coat maintains a database of signed executables, which enable us to go back in time and find files signed with bad certificates. By mining for the certificates mentioned above, we were able to dig up a lot of new GovRAT samples, but that was not all we found. Many different malware campaigns showed up. Some of these were unknown to us, and some were really unexpected.

It is our assumption that these apparently unconnected clusters of malware share this connection simply because the underground certificate vendors resell the certificates over and over.  They surely turn a nice profit by doing this, but they are also obliterating the operational security of their customers. We are not complaining, though their customers might want to ask for a refund.

Here are a few examples:

Open Source Developer, Marc Chapon:

This certificate was used on at least three GovRAT samples and four Bandook trojan samples. It was also apparently sold to the customer coming up next...

Open Source Developer, Muhammad Lee

This certificate was used on at least two GovRAT samples and on at least ten samples of a different malware family. This other family was packed with VMprotect, and needed some manual unpacking. Imagine my surprise when my emulator showed this result:


That’s right. These ten samples all belong to HackingTeam’s infamous “government malware” – Remote Control System, alias RCS.



The HackingTeam aspect


HackingTeam were themselves hacked mid-2015, and a lot of internal company information leaked into the public domain. The GovRAT samples were signed and cryptographically timestamped as far back as July 2014 (Muhammad Lee) and Jan-Feb 2015 (Marc Chapon), so the signing keys were apparently not appropriated as part of the HackingTeam data leak.

Indeed, the leaked emails themselves reveal that HackingTeam late 2014 became aware of the Marc Chapon certificate being used on a Bandook sample. They were upset; especially since the certificate had not been used by them at all, but was a “backup”.

Most of the RCS samples do however appear to be part of the leaked HackingTeam dataset. A zip file named containing many of these samples was submitted to VirusTotal only a couple of days after the breach. Also, RCS samples are usually tagged with a special “watermark” which uniquely identify customer license; and these samples all contained apparent internal HackingTeam test or development watermarks – DEVEL, HT-HISTORY and HT-MINOTAURO.

The Muhammad Lee certificate itself can be found mentioned in the leaked HackingTeam email spool, along with a number of other certificates – including the one mentioned above - Open Source Developer, Marc Chapon. Other certificates mentioned in the leaked data were:

Open Source Developer, Tony Yeh
Certum Level III CA

Open Source Developer, William Zoltan
Certum Level III CA

Open Source Developer, meicun ge
Certum Level III CA


The first two of these were applied on a few samples, and most of those seem to have been internal test/development cases.  The last certificate – meicun ge – has already been mentioned to in a blog post by CitizenLab, and has been used on a large number of executables (we have 166 RCS samples with this signature).  




Although marketed as an APT tool, the GovRAT malware itself is not really very advanced. Its capabilities are limited, the design is monolithic, and all important parameters are hardcoded in the binary. There are a number of programming errors, and some rookie mistakes – such as including source code filenames in the trojan executable. And, contrary to what the name would suggest, apart from information from the original InfoArmor article we have not seen any indication that GovRAT has been used by governments; but there are connections to pre-existing DDOS and Bitcoin mining infrastructure.

There are some interesting aspects to GovRAT, such as relying exclusively on the BITS protocol for communication with its C&C server. As we have seen before with other protocols like WebDAV, this illustrates that you cannot give any protocol a free pass without scrutiny. In addition, BITS implicitly supports SSL which may further complicate the detection of GovRAT C&C traffic.

More interesting is the convoluted connection between professional surveillance outfits such as the Italian HackingTeam and the criminal malware economy. There is a gray market here which is largely unexamined.








HackingTeam Remote Control System:

Signed Bandook trojans:

Signed Perl2EXE IRC bots: