The source code for the CodeRAT remote access trojan has been published on GitHub. This happened after the security researchers identified the malware developer and called him to account because of the attacks in which this “tool” was used.
Experts from SafeBreach say that the attacks using CodeRAT were built as follows: the campaign, apparently, was aimed at Farsi-speaking developers from Iran. They were attacked with a Word document that contained a DDE exploit.
This exploit downloaded and ran CodeRAT from the attacker’s GitHub repository, giving the remote operator a wide range of options after infection. In particular, CodeRAT supports about 50 commands, including creating screenshots, copying the contents of the clipboard, getting a list of running processes, terminating processes, checking GPU usage, uploading, downloading and deleting files, executing programs, and so on.
The malware also has extensive capabilities for monitoring web mail, Microsoft Office documents, databases, social networks, IDE for Windows Android, as well as porn sites and individual sites (for example, the Iranian e-commerce company Digikala or the web messenger Eitaa in Farsi) . In addition, the malware spies on the windows of tools such as Visual Studio, Python, PhpStorm, and Verilog.
“Such monitoring, especially spying on porn sites, social media activity and the use of anonymous browsing tools, leads us to believe that CodeRAT is an intelligence tool used by government-linked attackers. Usually, this is observed in attacks that are behind the Islamic regime of Iran, which monitors the illegal and immoral actions of its citizens, ”experts say.
To communicate with its carrier and steal the collected data, CodeRAT uses a Telegram-based mechanism that relies on a public anonymous file upload API (instead of the traditional C&C infrastructure). Although this campaign was abruptly interrupted, the researchers were able to track down the malware developer behind the nickname Mr Moded. When SafeBreach contacted the CodeRAT developer, he did not at first deny their accusations, but instead asked the experts for more information.
After the experts provided Mr Moded with evidence linking him to CodeRAT, he was not at a loss and simply posted the source code of the malware on his GitHub. The researchers warn that now, with the release of the source code, CodeRAT may become more widespread.