Researchers at SafeBreach noted a remote access trojan called CodeRAT, which is capable of a range of malicious activities once deployed into the targeted system.
Hailing from Iran, CodeRAT is aimed at Farsi-speaking software developers to steal their work from IDEs and other sensitive information. This RAT can be controlled by a Telegram bot and uses public anonymous file upload API for exfiltrating the stolen data.
A Sophisticated RAT Targeting Software Devs
Most of the time, remote access trojans are deployed for two major reasons – either for stealing the target’s data or using it as a backdoor for other conducting other malicious operations, like ransomware.
CodeRAT is one among them, made for stealing the works and other sensitive data of Farsi-speaking software developers. code is said to be originating from Iran and is sophisticated to steal data by uncommon means – says SafeBreach researchers.
Explaining how this works, researchers said the malware supports around 50 commands like taking screenshots, copying clipboard content, getting a list of running processes, terminating processes, checking GPU usage, downloading, uploading, deleting files, and executing programs.
It’s helpful for spying on sensitive windows for tools like Visual Studio, Python, PhpStorm, and Verilog. Deploying CodeRAT starts by sending a Word document to the target initially, which includes a Microsoft Dynamic Data Exchange (DDE) exploit.
Unsuspecting people downloading and running the exploit (CodeRAT) will have themselves offered to the threat actor, who can conduct malicious attacks remotely from a Telegram bot! As researchers noted, CodeRAT uses a Telegram-based mechanism instead of the regular common command and control server setting.
Once in, the threat actor, through his UI, will send a command – that’s obfuscated and sent to any of the three ways;
- Telegram bot API with proxy (no direct requests)
- Manual mode (includes USB option)
- Locally stored commands on the ‘myPictures’ folder
The threat actor uses the same above three ways to exfiltrate the stolen data back too. Adding to its data-stealing capabilities, CodeRAT can even persist between system reboots without making any changes to the Windows registry – say, researchers, without specifying how exactly.
Well, though it was said to be targeting Farsi-speaking software developers, the author of CodeRAT has published the malware’s code open-source after being approached by the researchers – putting the whole community at threat now.