The developer of the new “CodeRAT” backdoor has released the source code of its malware online after being confronted by security researchers, cybersecurity firm SafeBreach reports.
The new Remote Access Trojan (RAT) was deployed via a malicious Word document carrying a Dynamic Data Exchange (DDE) exploit.
Supporting around 50 commands, CodeRAT is designed to monitor a victim’s activity on a local machine (documents, databases, integrated development environments (IDEs)) and online (social media, games, and porn sites) , and appears to target Iranian users. .
“This type of monitoring – particularly of porn sites, use of anonymous browsing tools, and social media activity – leads us to believe that CodeRAT is an intelligence tool used by a government-linked threat actor,” SafeBreach said.
The decoy document and the targeting of apps specifically designed for Farsi-speaking users suggests that the RAT could be used by Iran’s Islamic regime to monitor the illegal/immoral activities of its citizens.
CodeRAT can communicate via Telegram and uses an anonymous public download site instead of a dedicated command and control (C&C) server.
“CodeRAT supports about 50 different commands regarding files, process actions, and theft capabilities of screenshots, clipboards, files, and environmental information. It also supports update commands. level or installation of other malicious binaries,” notes SafeBreach.
The malware has five modes of operation, generates a unique ID for each victim, and can receive commands through a local file (command.txt, under the myPictures folder), through the main user interface, and through the Telegram bot API .
The RAT constantly checks if a boss.txt file exists in the myPictures folder. If the file exists, the malware displays its main window, allowing the user to perform manual operations. The threat also has a second hidden user interface form, which runs if the “data” and “zn” directories exist in its working directory.
According to SafeBreach, evidence suggests that CodeRAT is currently being used to target Iranian developers. The luring of Persian documents, the targeting of specific applications (Visual Studio, Python, PhpStorm and Verilog) and the targeting of the sensitive window Digikala, an Iranian e-commerce company based in Tehran, support this belief.
Additionally, the security firm believes the threat actors behind CodeRAT may be called Mohsen and Siavahsh, both Persian names.
SafeBreach was able to identify the developer of CodeRAT as (who uses the moniker “Mr Moded”) the individual behind RoboThief, a Telegram session stealer. After being confronted with the malware, the developer published the CodeRAT source code on its GitHub account.
Related: Organizations in Europe targeted by the new RAT “Nerbian”
Related: DarkCrystal RAT offers many features at a very low price
Related: Newly detected ‘StrifeWater’ RAT linked to Iranian APT
Ionut Argire is an international correspondent for SecurityWeek.
Key words:
Comments are closed.