Iranian hackers leak code for their CodeRATSecurity Affairs malware


The author of the remote access trojan (RAT) CodeRAT has leaked the source code of its malware on GitHub.

The development team behind the remote access trojan (RAT) CodeRAT leaked the source code of its malware on GitHub after the

SafeBreach Labs researchers recently analyzed a new targeted attack targeting Farsi-speaking code developers. Attackers used a Microsoft Word document that included a Microsoft Dynamic Data Exchange (DDE) exploit as well as a previously undiscovered Remote Access Trojan (RAT) tracked as CodeRAT by SafeBreach Labs researchers .

The interesting aspect of this investigation is that the researchers were able to identify the CodeRAT developer who, after being confronted with us, chose to release the CodeRAT source code in their public GitHub account.

CodeRAT allows its operators to monitor victim’s activity on social networks and local machines by supporting 50 commands including taking screenshots, copying clipboard, stopping processes , analyzing GPU usage, uploading/downloading/deleting files, monitoring running processes and running programs. the malicious code can monitor webmail, Microsoft Office documents, databases, social networks, games, integrated development environments (IDEs) for Windows and Android, and porn sites. CodeRAT also monitors a large number of browser window titles, two of which are unique to Iranian victims, a popular Iranian e-commerce site and a Farsi-language web messenger.

Experts believe the malware is surveillance software used by the Iranian government.

“This type of monitoring, particularly of porn sites, anonymous browsing tool usage, and social media activity, leads us to believe that CodeRAT is an intelligence tool used by a government-linked threat actor. . This is commonly seen in attacks carried out by the Islamic regime of Iran to monitor the illegal/immoral activities of their citizens. reads the analysis published by SafeBreach Labs.

The CodeRAT used versatile communication methods, it supports communication on Telegram groups using bot API or via USB. The malicious code is also able to operate in stealth mode avoiding sending data back. The malware does not use a dedicated C2 server, but uploads data to an anonymous public site.

CodeRAT limits its use to 30 days to avoid detection, it will also use the HTTP Debugger website as a proxy to communicate with its C2 Telegram group.

The researchers also found evidence that the names of the attackers could be Mohsen and Siavahsh, which are common Persian names.

“By sharing information specifically about our discovery of CodeRAT, our goal is to raise awareness of this new, unrecognized type of malware that leverages a relatively new technique of using an anonymous download site as a C2 server. We also hope to warn the developer community that they are particularly vulnerable to being targeted by this attack. concludes the analysis.

The report also includes Indicators of Compromise (IOC) and YARA rules.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(Security cases hacking, malware)

Share on


Comments are closed.