Following a confrontation between malware analysts and the creator over attacks that made use of the programme, the source code for the “CodeRAT” remote access trojan (RAT) was posted on GitHub. A Word document with a Microsoft Dynamic Data Exchange (DDE) exploit was used in the hostile operation, which seemed to come from Iran and targeted Farsi-speaking software developers.
The attack pulls down CodeRAT from the threat actor’s GitHub repository and runs it, offering the remote user a wide range of post-infection options. More specifically, CodeRAT comes with extensive monitoring capabilities and supports about 50 commands. These capabilities target webmail, databases, Microsoft Office documents, social media platforms, integrated development environments (IDEs) for Windows and Android, and even specific websites like PayPal. According to the cybersecurity firm SafeBreach, the malware also monitors private windows used by programmes like Verilog, a hardware description language used to model electronic systems, Python, PhpStorm, and Visual Studio.
Instead of the more typical command and control server infrastructure, CodeRAT uses a Telegram-based method that relies on a public anonymous file upload API to connect with its operator and exfiltrate stolen material. Around 50 commands are supported by the virus, including capturing screenshots, copying content from the clipboard, getting a list of active processes, killing them, checking GPU utilisation, downloading, uploading, deleting files, and running programs.
The attacker can create the commands using a UI tool that creates and obfuscates them, and then sends them to the malware via one of the following three techniques:
- A proxy-based Telegram bot API (no direct requests)
- Manual setting (includes USB option)
- Commands that are locally stored in the “myPictures” folder
The same three techniques, which include focusing on particular file extensions, entire folders, or single files, can also be used to exfiltrate data.
If Telegram has been outlawed in the victim’s nation, CodeRAT has an anti-filter functionality that creates a different request routing channel in order to get around the restrictions. The author also asserts that the malware can survive reboots without altering the Windows registry, yet SafeBreach makes no mention of this capability. Strong capabilities that come with CodeRAT are likely to draw additional cybercriminals. The goal of malware producers is to find malicious code that can be quickly transformed into a new “product” that will boost sales.
