Developer of CodeRAT Trojan Releases Source Code

Vladimir Krasnogolovy
Vladimir Krasnogolovy
3 Min Read
CodeRAT Source code

The source code for the CodeRAT remote access trojan has been published on GitHub. This happened after the security researchers identified the malware developer and called him to account because of the attacks in which this “tool” was used.

SafeBreach experts say that the attacks using CodeRAT were built as follows: the campaign was aimed at Farsi-speaking developers from Iran. They were attacked with a Word document that contained a DDE exploit.

These exploits downloaded and ran CodeRAT from the attacker’s GitHub repository, giving the remote operator a wide range of options after infection. In particular, CodeRAT supports about 50 commands, including creating screenshots, copying the clipboard’s contents, getting a list of running processes, terminating processes, checking GPU usage, uploading, downloading and deleting files, executing programs, and so on.

Developer of CodeRAT Trojan Releases Source Code

Let me remind you that we also wrote that ZuoRAT Trojan Hacks Asus, Cisco, DrayTek and NETGEAR Routers, and also that Trojan Qbot Took Advantage of the Famous Follina Vulnerability.

The CodeRAT malware also has extensive capabilities for monitoring webmail, Microsoft Office documents, databases, social networks, IDE for Windows Android, as well as porn sites and individual sites (for example, the Iranian e-commerce company Digikala or the Eitaa web messenger in Farsi). In addition, the malware spies on the windows of tools such as Visual Studio, Python, PhpStorm, and Verilog.

CodeRAT Source code
CodeRAT UI

Such monitoring, especially spying on porn sites, social media activity, and anonymous browsing tools, leads us to believe that CodeRAT is an intelligence tool used by government-linked attackers. Usually, this is observed in attacks behind the Islamic regime of Iran, which monitors its citizens’ illegal and immoral actions.experts say.

To communicate with its carrier and steal the collected data, CodeRAT uses a Telegram-based mechanism that relies on a public anonymous file upload API (instead of the traditional C&C infrastructure).

Although this campaign was abruptly interrupted, the researchers could track down the malware developer behind the nickname Mr. Moded. When SafeBreach contacted the CodeRAT developer, he did not initially deny their accusations but instead asked the experts for more information.

CodeRAT Source code

After the experts provided Mr. Moded with evidence linking him to CodeRAT, he was not at a loss and posted the malware’s source code on his GitHub. The researchers warn that now, with the release of the source code, CodeRAT may become more widespread.

You Might Also Like

Hacker Leaks BBVA Bank Data, Including User Details

Cyberattack with the use of ransomware forced Epiq Global to shut down its systems

Phantom Hacker Scams On The Rise, Target Elderly

Raindrop is another malware detected during the SolarWinds hack

Ransomware Attacks Decline in 2023 – Is It True?

TAGGED:
Share This Article
By Vladimir Krasnogolovy
Follow:
Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.
Previous Article Cisco Hacking Cisco Hack Is Linked to Russian-Speaking Hackers from Evil Corp
Next Article Dangers Of Spam Email: How To Avoid & Get Spam Email Revenge Dangers Of Spam Email: Tips How To Avoid, Spam Email Revenge
Leave a comment

Stay Connected

Latest News

FakeBat Malware Exploits Google Search Ads, Again
FakeBat Loader is Back With New Tactics and Payload
Security News
Ivanti EPM RCE vulnerability fixed, patch now
RCE Vulnerability in Ivanti Endpoint Manager Uncovered, Patch Now
Security News
Hacker Uploads Data Leaked in MOVEit Breaches
Hacker Leaks Corporate Data Stolen in 2023 MOVEit Breaches
Security News
"Verify you are human" scam website explained
Verify you are Human Scam
Security News