Developer of CodeRAT Trojan Releases Source Code

The source code for the CodeRAT remote access trojan has been published on GitHub. This happened after the security researchers identified the malware developer and called him to account because of the attacks in which this “tool” was used.

SafeBreach experts say that the attacks using CodeRAT were built as follows: the campaign was aimed at Farsi-speaking developers from Iran. They were attacked with a Word document that contained a DDE exploit.

These exploits downloaded and ran CodeRAT from the attacker’s GitHub repository, giving the remote operator a wide range of options after infection. In particular, CodeRAT supports about 50 commands, including creating screenshots, copying the clipboard’s contents, getting a list of running processes, terminating processes, checking GPU usage, uploading, downloading and deleting files, executing programs, and so on.

Developer of CodeRAT Trojan Releases Source Code

Let me remind you that we also wrote that ZuoRAT Trojan Hacks Asus, Cisco, DrayTek and NETGEAR Routers, and also that Trojan Qbot Took Advantage of the Famous Follina Vulnerability.

The CodeRAT malware also has extensive capabilities for monitoring webmail, Microsoft Office documents, databases, social networks, IDE for Windows Android, as well as porn sites and individual sites (for example, the Iranian e-commerce company Digikala or the Eitaa web messenger in Farsi). In addition, the malware spies on the windows of tools such as Visual Studio, Python, PhpStorm, and Verilog.

CodeRAT Source code
CodeRAT UI

Such monitoring, especially spying on porn sites, social media activity, and anonymous browsing tools, leads us to believe that CodeRAT is an intelligence tool used by government-linked attackers. Usually, this is observed in attacks behind the Islamic regime of Iran, which monitors its citizens’ illegal and immoral actions.experts say.

To communicate with its carrier and steal the collected data, CodeRAT uses a Telegram-based mechanism that relies on a public anonymous file upload API (instead of the traditional C&C infrastructure).

Although this campaign was abruptly interrupted, the researchers could track down the malware developer behind the nickname Mr. Moded. When SafeBreach contacted the CodeRAT developer, he did not initially deny their accusations but instead asked the experts for more information.

CodeRAT Source code

After the experts provided Mr. Moded with evidence linking him to CodeRAT, he was not at a loss and posted the malware’s source code on his GitHub. The researchers warn that now, with the release of the source code, CodeRAT may become more widespread.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *