Go Back   Carder.life > [en] International Forum > Carding News
Reload this Page Malware dev open-sources CodeRAT after being exposed

CARDER.MARKET - CARDING FORUM FOR PROFESSIONAL CARDERS


Reply
 
Thread Tools Display Modes
  #1  
Old 02-03-2025, 03:22 AM
Artifact's Avatar

Artifact Artifact is offline
Administrator
Join Date: Jan 2024
Posts: 0
Default


The source code of a remote access trojan (RAT) dubbed 'CodeRAT' has been leaked on GitHub after malware analysts confronted the developer about attacks that used the tool.
The malicious operation, which appears to originate from Iran, targeted Farsi-speaking software developers with a Word document that included a Microsoft Dynamic Data Exchange (DDE) exploit.
The exploit downloads and executes CodeRAT from the threat actor's GitHub repository, giving the remote operator a broad range of post-infection capabilities.
More specifically, CodeRAT supports about 50 commands and comes with extensive monitoring capabilities targeting webmail, Microsoft Office documents, databases, social network platforms, integrated development environment (IDEs) for Windows Android, and even individual websites like PayPal.
Cybersecurity company SafeBreach reports that the malware also spies on sensitive windows for tools like Visual Studio, Python, PhpStorm, and Verilog - a hardware description language for modeling electronic systems.
To communicate with its operator and to exfiltrate stolen data, CodeRAT uses a Telegram-based mechanism that relies on a public anonymous file upload API instead of the more common command and control server infrastructure.
Although the campaign stopped abruptly when the researchers contacted the malware developer, CodeRAT is likely to become more prevalent now that its author made the source code public,
CodeRAT details
The malware supports around 50 commands that include taking screenshots, copying clipboard content, getting a list of running processes, terminating processes, checking GPU usage, downloading, uploading, deleting files, executing programs.

CodeRAT's GUI command builder
The attacker can generate the commands through a UI tool that builds and obfuscates them and then uses one of the following three methods to transmit them to the malware:
  • Telegram bot API with proxy (no direct requests)

  • Manual mode (includes USB option)

  • Locally stored commands on the 'myPictures' folder

The same three methods can also be used for data exfiltration, including single files, entire folders, or targeting specific file extensions.

Main window giving operators a way to perform manual functions
If the victim's country has banned Telegram, CodeRAT offers an anti-filter functionality that establishes a separate request routing channel that can help bypass the blocks.

HTTP Debugger used as a proxy for Telegram communication
The author also claims that the malware can persist between reboots without making any changes to the Windows registry, but SafeBreach doesn't provide any details about this feature.
CodeRAT comes with strong capabilities that are likely to attract other cybercriminals. Malware developers are always looking for malware code that can be easily turned into a new "product" that would increase their profits.
Reply

Tags
NULL

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is On
Forum Jump




All times are GMT. The time now is 10:09 PM.

Contact Us - Carder.life - Archive - Top