Developer of CodeRAT Trojan Releases Source Code

CodeRAT Source code

The source code for the CodeRAT remote access trojan has been published on GitHub. This happened after the security researchers identified the malware developer and called him to account because of the attacks in which this “tool” was used.

SafeBreach experts say that the attacks using CodeRAT were built as follows: the campaign, apparently, was aimed at Farsi-speaking developers from Iran. They were attacked with a Word document that contained a DDE exploit.

This exploit downloaded and ran CodeRAT from the attacker’s GitHub repository, giving the remote operator a wide range of options after infection. In particular, CodeRAT supports about 50 commands, including creating screenshots, copying the contents of the clipboard, getting a list of running processes, terminating processes, checking GPU usage, uploading, downloading and deleting files, executing programs, and so on.

Let me remind you that we also wrote that ZuoRAT Trojan Hacks Asus, Cisco, DrayTek and NETGEAR Routers, and also that Trojan Qbot Took Advantage of the Famous Follina Vulnerability.

The CodeRAT malware also has extensive capabilities for monitoring web mail, Microsoft Office documents, databases, social networks, IDE for Windows Android, as well as porn sites and individual sites (for example, the Iranian e-commerce company Digikala or the Eitaa web messenger in Farsi). In addition, the malware spies on the windows of tools such as Visual Studio, Python, PhpStorm, and Verilog.

CodeRAT Source code
CodeRAT UI

Such monitoring, especially spying on porn sites, social media activity and the use of anonymous browsing tools, leads us to believe that CodeRAT is an intelligence tool used by government-linked attackers. Usually, this is observed in attacks that are behind the Islamic regime of Iran, which monitors the illegal and immoral actions of its citizens.experts say.

To communicate with its carrier and steal the collected data, CodeRAT uses a Telegram-based mechanism that relies on a public anonymous file upload API (instead of the traditional C&C infrastructure).

Although this campaign was abruptly interrupted, the researchers were able to track down the malware developer behind the nickname Mr Moded. When SafeBreach contacted the CodeRAT developer, he did not at first deny their accusations, but instead asked the experts for more information.

CodeRAT Source code

After the experts provided Mr Moded with evidence linking him to CodeRAT, he was not at a loss and simply posted the source code of the malware on his GitHub. The researchers warn that now, with the release of the source code, CodeRAT may become more widespread.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

View all of Vladimir Krasnogolovy's posts.

Leave a comment

Your email address will not be published.