CyberMorans,
The source code of a remote access trojan (RAT) dubbed 'CodeRAT' đ has been leaked on GitHub after malware analysts confronted the developer about attacks that used the tool đ
The malicious operation đ, which appears to originate from Iran, targeted Farsi-speaking software developers with a Word document that included a Microsoft Dynamic Data Exchange (DDE) exploit. The exploit downloads and executes CodeRAT from the threat actor's GitHub repository, giving the remote operator a broad range of post-infection capabilities.
More specifically, CodeRAT supports about 50 commands and comes with extensive monitoring capabilities targeting webmail, Microsoft Office documents, databases, social network platforms, integrated development environment (IDEs) for Windows Android, and even individual websites like PayPal.
âThis type of monitoring đ specifically of pornographic sites, use of anonymous browsing tools, and social network activitiesâleads us to believe CodeRAT is an intelligence tool used by a threat actor tied to a government. It is commonly seen in attacks operated by the Islamic regime of Iran đ to monitor illegal/immoral activities of their citizens.â - analysis published by SafeBreach Labs.
Cybersecurity company SafeBreach reports that the malware also spies on sensitive windows for tools like Visual Studio, Python, PhpStorm, and Verilog - a hardware description language for modeling electronic systems. To communicate with its operator and to exfiltrate stolen data, CodeRAT uses a Telegram-based mechanism that relies on a public anonymous file upload API instead of the more common command and control server infrastructure.
Although the campaign stopped abruptly when the researchers contacted the malware developer, CodeRAT is likely to become more prevalent now that its author made the source code public,
CodeRAT details
The malware supports around 50 commands that include taking screenshots, copying clipboard content, getting a list of running processes, terminating processes, checking GPU usage, downloading, uploading, deleting files, executing programs.
The malicious code can monitor webmail, Microsoft Office documents, databases, social networks, games, integrated development environments (IDEs) for Windows and Android, and pornographic sites. CodeRAT also monitors a large number of browser window titles, two of which are unique to Iranian victims, a popular Iranian e-commerce site and a web messenger in Farsi.
CodeRAT limits its usage to 30 days to avoid detection, it will also use the HTTP Debugger website as a proxy to communicate with its C2 Telegram group. The researchers also found evidence that the attackersâ names may be Mohsen and Siavahsh, which are common Persian names.
CodeRAT's GUI command builder
The hacker can generate the commands through a UI tool that builds and obfuscates them and then uses one of the following three methods to transmit them to the malware:
đ Telegram bot API with proxy (no direct requests)
đ Manual mode (includes USB option)
đ Locally stored commands on the 'myPictures' folder
The same three methods can also be used for data exfiltration, including single files, entire folders, or targeting specific file extensions.
Main window giving operators a way to perform manual functions
If the victim's country has banned Telegram, CodeRAT offers an anti-filter functionality that establishes a separate request routing channel that can help bypass the blocks.
HTTP Debugger used as a proxy for Telegram communication (SafeBreach)
The author also claims that the malware can persist between reboots without making any changes to the Windows registry, but SafeBreach doesn't provide any details about this feature.
CodeRAT comes with strong capabilities that are likely to attract Newbies, scriptkiddies and cybercriminals. Malware developers are always looking for malware code that can be easily turned into a new "product" that would increase their profits.
Sourced: Bleepingcomputer
Conclusion
Subscribe to receive notifications of similar posts đ where we will be reverse engineering malware and the technical aspect of vulnerabilities as well as how an attacker may use this vulnerability as an attack vector and other Infosec stuff...đ
Morans,
Thank you for your time, Like and leave a comment/review and as always, stay awesome! đđ đŞ
Kommentit