Jump to content
  • Malware dev open-sources CodeRAT after being exposed

    alf9872000

    • 625 views
    • 3 minutes
     Share


    • 625 views
    • 3 minutes

    The source code of a remote access trojan (RAT) dubbed 'CodeRAT' has been leaked on GitHub after malware analysts confronted the developer about attacks that used the tool.

     

    The malicious operation, which appears to originate from Iran, targeted Farsi-speaking software developers with a Word document that included a Microsoft Dynamic Data Exchange (DDE) exploit.

     

    The exploit downloads and executes CodeRAT from the threat actor's GitHub repository, giving the remote operator a broad range of post-infection capabilities.

     

    More specifically, CodeRAT supports about 50 commands and comes with extensive monitoring capabilities targeting webmail, Microsoft Office documents, databases, social network platforms, integrated development environment (IDEs) for Windows Android, and even individual websites like PayPal.

     

    Cybersecurity company SafeBreach reports that the malware also spies on sensitive windows for tools like Visual Studio, Python, PhpStorm, and Verilog - a hardware description language for modeling electronic systems.

     

    To communicate with its operator and to exfiltrate stolen data, CodeRAT uses a Telegram-based mechanism that relies on a public anonymous file upload API instead of the more common command and control server infrastructure.

     

    Although the campaign stopped abruptly when the researchers contacted the malware developer, CodeRAT is likely to become more prevalent now that its author made the source code public,

    CodeRAT details

    The malware supports  around 50 commands that include taking screenshots, copying clipboard content, getting a list of running processes, terminating processes, checking GPU usage, downloading, uploading, deleting files, executing programs.

     

    command-builder.png

    CodeRAT's GUI command builder (SafeBreach)

     

    The attacker can generate the commands through a UI tool that builds and obfuscates them and then uses one of the following three methods to transmit them to the malware:

    1. Telegram bot API with proxy (no direct requests)
    2. Manual mode (includes USB option)
    3. Locally stored commands on the 'myPictures' folder

     

    The same three methods can also be used for data exfiltration, including single files, entire folders, or targeting specific file extensions.

     

    USB-exfil.png

    Main window giving operators a way to perform manual functions (SafeBreach)

     

    If the victim's country has banned Telegram, CodeRAT offers an anti-filter functionality that establishes a separate request routing channel that can help bypass the blocks.

     

    proxy.png

    HTTP Debugger used as a proxy for Telegram communication (SafeBreach)

     

    The author also claims that the malware can persist between reboots without making any changes to the Windows registry, but SafeBreach doesn't provide any details about this feature.

     

    CodeRAT comes with strong capabilities that are likely to attract other cybercriminals. Malware developers are always looking for malware code that can be easily turned into a new "product" that would increase their profits.

     

    Source: Bleeping Computer

    https://www.bleepingcomputer.com/news/security/malware-dev-open-sources-coderat-after-being-exposed/

    • Like 2

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...