CodeRAT Source Code Released Publicly After Researcher Investigation

By Riley ThompsonTechnology News

CodeRAT Developer Releases Source Code Publicly

The source code for the CodeRAT remote access trojan (RAT) has been published on GitHub. This release came after cybersecurity researchers identified the malware’s developer and confronted him about attacks involving this tool.

According to experts from SafeBreach, the CodeRAT attacks appeared to target Farsi-speaking developers in Iran. The attackers used a Word document containing a DDE exploit to deliver the malware. This exploit downloaded and executed CodeRAT from the attacker’s GitHub repository, giving the remote operator extensive control over infected systems.

Capabilities of CodeRAT

CodeRAT supports around 50 commands, including:

  • Taking screenshots
  • Copying clipboard contents
  • Listing and terminating running processes
  • Checking GPU usage
  • Uploading, downloading, and deleting files
  • Running programs

The malware also has advanced monitoring features for webmail, Microsoft Office documents, databases, social networks, Windows and Android IDEs, as well as adult websites and specific sites like the Iranian e-commerce platform Digikala and the Farsi-language messenger Eitaa. Additionally, CodeRAT spies on windows of development tools such as Visual Studio, Python, PhpStorm, and Verilog.

Suspected Government Ties

Researchers note, “Such monitoring—especially surveillance of adult sites, social media activity, and the use of anonymous browsing tools—suggests that CodeRAT is an intelligence-gathering tool used by threat actors with government connections. This type of activity is typically seen in attacks linked to the Islamic regime in Iran, which tracks illegal and immoral behavior among its citizens.”

Communication and Data Theft

CodeRAT communicates with its operator and exfiltrates stolen data using a Telegram-based mechanism. Instead of a traditional command-and-control (C&C) infrastructure, it relies on a public API for anonymous file uploads.

Developer Identified and Source Code Released

Although the campaign was abruptly halted, researchers managed to identify the malware’s developer, known online as Mr Moded. When SafeBreach specialists contacted him, he did not deny the allegations and instead requested more information. After being presented with evidence linking him to CodeRAT, Mr Moded responded by simply publishing the malware’s source code on his GitHub account.

Researchers warn that with the source code now public, CodeRAT could become more widespread.

Leave a Reply