Researchers at SafeBreach noted a remote access trojan called CodeRAT, which is capable of a range of malicious activities once deployed into the targeted system.

Hailing from Iran, CodeRAT is aimed at Farsi-speaking software developers to steal their work from IDEs and other sensitive information. This RAT can be controlled by a Telegram bot and uses public anonymous file upload API for exfiltrating the stolen data.

A Sophisticated RAT Targeting Software Devs

Most of the time, remote access trojans are deployed for two major reasons โ€“ either for stealing the targetโ€™s data or using it as a backdoor for other conducting other malicious operations, like ransomware.

CodeRAT is one among them, made for stealing the works and other sensitive data of Farsi-speaking software developers. code is said to be originating from Iran and is sophisticated to steal data by uncommon means โ€“ says SafeBreach researchers.

Explaining how this works, researchers said the malware supports around 50 commands like taking screenshots, copying clipboard content, getting a list of running processes, terminating processes, checking GPU usage, downloading, uploading, deleting files, and executing programs.

Itโ€™s helpful for spying on sensitive windows for tools like Visual Studio, Python, PhpStorm, and Verilog. Deploying CodeRAT starts by sending a Word document to the target initially, which includes a Microsoft Dynamic Data Exchange (DDE) exploit.

Unsuspecting people downloading and running the exploit (CodeRAT) will have themselves offered to the threat actor, who can conduct malicious attacks remotely from a Telegram bot! As researchers noted, CodeRAT uses a Telegram-based mechanism instead of the regular common command and control server setting.

Once in, the threat actor, through his UI, will send a command โ€“ thatโ€™s obfuscated and sent to any of the three ways;

  1. Telegram bot API with proxy (no direct requests)
  2. Manual mode (includes USB option)
  3. Locally stored commands on the โ€˜myPicturesโ€™ folder

The threat actor uses the same above three ways to exfiltrate the stolen data back too. Adding to its data-stealing capabilities, CodeRAT can even persist between system reboots without making any changes to the Windows registry โ€“ say, researchers, without specifying how exactly.

Well, though it was said to be targeting Farsi-speaking software developers, the author of CodeRAT has published the malwareโ€™s code open-source after being approached by the researchers โ€“ putting the whole community at threat now.

LEAVE A REPLY

Please enter your comment!
Please enter your name here