The source code for the CodeRAT remote access trojan has been published on GitHub. This happened after the security researchers identified the malware developer and called him to account because of the attacks in which this “tool” was used.
SafeBreach experts say that the attacks using CodeRAT were built as follows: the campaign, apparently, was aimed at Farsi-speaking developers from Iran. They were attacked with a Word document that contained a DDE exploit.
This exploit downloaded and ran CodeRAT from the attacker’s GitHub repository, giving the remote operator a wide range of options after infection. In particular, CodeRAT supports about 50 commands, including creating screenshots, copying the contents of the clipboard, getting a list of running processes, terminating processes, checking GPU usage, uploading, downloading and deleting files, executing programs, and so on.
Let me remind you that we also wrote that ZuoRAT Trojan Hacks Asus, Cisco, DrayTek and NETGEAR Routers, and also that Trojan Qbot Took Advantage of the Famous Follina Vulnerability.
The CodeRAT malware also has extensive capabilities for monitoring web mail, Microsoft Office documents, databases, social networks, IDE for Windows Android, as well as porn sites and individual sites (for example, the Iranian e-commerce company Digikala or the Eitaa web messenger in Farsi). In addition, the malware spies on the windows of tools such as Visual Studio, Python, PhpStorm, and Verilog.
To communicate with its carrier and steal the collected data, CodeRAT uses a Telegram-based mechanism that relies on a public anonymous file upload API (instead of the traditional C&C infrastructure).
Although this campaign was abruptly interrupted, the researchers were able to track down the malware developer behind the nickname Mr Moded. When SafeBreach contacted the CodeRAT developer, he did not at first deny their accusations, but instead asked the experts for more information.
After the experts provided Mr Moded with evidence linking him to CodeRAT, he was not at a loss and simply posted the source code of the malware on his GitHub. The researchers warn that now, with the release of the source code, CodeRAT may become more widespread.