Malware dev open-sources CodeRAT after being exposed

The source code of a remote access trojan (RAT) dubbed ‘CodeRAT’ has been leaked on GitHub after malware analysts confronted the developer about attacks that used the tool.

The malicious operation, which appears to originate from Iran, targeted Farsi-speaking software developers with a Word document that included a Microsoft Dynamic Data Exchange (DDE) exploit.

The exploit downloads and executes CodeRAT from the threat actor’s GitHub repository, giving the remote operator a broad range of post-infection capabilities.

More specifically, CodeRAT supports about 50 commands and comes with extensive monitoring capabilities targeting webmail, Microsoft Office documents, databases, social network platforms, integrated development environment (IDEs) for Windows Android, and even individual websites like PayPal.

Cybersecurity company SafeBreach reports that the malware also spies on sensitive windows for tools like Visual Studio, Python, PhpStorm, and Verilog – a hardware description language for modeling electronic systems.

To communicate with its operator and to exfiltrate stolen data, CodeRAT uses a Telegram-based mechanism that relies on a public anonymous file upload API instead of the more common command and control server infrastructure.

Although the campaign stopped abruptly when the researchers contacted the malware developer, CodeRAT is likely to become more prevalent now that its author made the source code public,

CodeRAT details

The malware supports  around 50 commands that include taking screenshots, copying clipboard content, getting a list of running processes, terminating processes, checking GPU usage, downloading, uploading, deleting files, executing programs.

CodeRAT's GUI command builder
CodeRAT’s GUI command builder (SafeBreach)

The attacker can generate the commands through a UI tool that builds and obfuscates them and then uses one of the following three methods to transmit them to the malware:

  1. Telegram bot API with proxy (no direct requests)
  2. Manual mode (includes USB option)
  3. Locally stored commands on the ‘myPictures’ folder

The same three methods can also be used for data exfiltration, including single files, entire folders, or targeting specific file extensions.

UI to exfiltrate data onto USB drives
Main window giving operators a way to perform manual functions (SafeBreach)

If the victim’s country has banned Telegram, CodeRAT offers an anti-filter functionality that establishes a separate request routing channel that can help bypass the blocks.

HTTP Debugger used as a proxy for Telegram coms
HTTP Debugger used as a proxy for Telegram communication (SafeBreach)

The author also claims that the malware can persist between reboots without making any changes to the Windows registry, but SafeBreach doesn’t provide any details about this feature.

CodeRAT comes with strong capabilities that are likely to attract other cybercriminals. Malware developers are always looking for malware code that can be easily turned into a new “product” that would increase their profits.

Source: www.bleepingcomputer.com