# SafeBreach Uncovers New Remote Access Trojan (RAT)
**safebreach.com/resources/blog/remote-access-trojan-coderat**
US Cert Alerts | Research
Sep 1, 2022
## SafeBreach Labs Researchers Uncover New Remote Access Trojan (RAT)
_Dubbed CodeRAT, the new RAT is used in attacks targeting Farsi-speaking code developers using a Microsoft Dynamic Data Exchange (DDE)_
_exploit._
Author:
Tomer Bar, Director of Security Research, SafeBreach
SafeBreach Labs researchers are constantly monitoring the hacker underground, sourcing intelligence feeds, and conducting original
research to uncover new threats and ensure our Hacker’s Playbook provides the most comprehensive collection of attacks. As part of this
ongoing effort, we recently discovered a new targeted attack we believe is compelling for four main reasons:
1. It appears to target Farsi-speaking code developers by using a Microsoft Word document that includes a Microsoft Dynamic Data
Exchange (DDE) exploit.
2. It leverages a previously undiscovered remote access trojan (RAT)—dubbed CodeRAT by SafeBreach Labs researchers—that supports
~50 commands.
3. We were able to identify the developer of CodeRAT who, after being confronted by us, decided to publish the source code of CodeRAT
in his public GitHub account.
4. CodeRAT is using a unique exfiltration and command and control mechanism. Instead of using a dedicated C2 server, CodeRAT is
using a public anonymous file upload API.
In this research report, we will provide a high-level overview of CodeRAT, including when it first appeared, what it does, the type of
communications it uses, and who might be behind it. We’ll also provide a deep-dive into the technical details behind the RAT, including its
operational modes and available commands. Finally, we’ll provide insight into our conversation with the developer of CodeRAT and details
about how SafeBreach is sharing this information with the security community.
## CodeRAT Overview
[For initial access, the threat actor uses a Microsoft Word document that includes a DDE exploit, a well-known technique used by threat actors](https://www.sentinelone.com/blog/malware-embedded-microsoft-office-documents-dde-exploit-macroless/)
to deliver malicious code within a macro in the document. The document used in this attack contains information regarding hardware design
languages like Verilog and very high-speed integrated circuit hardware description language (VHDL).
-----
_Figure 1: Sample of content in Word document used in attack_
[The file, named 432gsbse5, was first uploaded to the alberfrancis GitHub repository on April 22, 2022—the exploit downloads and executes](https://raw.githubusercontent.com/alberfrancis/camo/main/432gsbse5)
CodeRAT from this repository. The file was updated on July 10, 2022, and subsequently deleted and uploaded again 15 times by the threat
actor.
_Figure 2: The albertfrancis GitHub repository, including two versions of the RAT and two libraries_
This exploits document was first submitted to VirusTotal from Iran on July 5, 2022.
_Figure 3: VirusTotal submission_
Once executed, the main goal of CodeRAT is to monitor the victim’s activity on social networks and on local machines. The monitoring
capabilities include almost 50 commands and allow the attacker to monitor webmail, Microsoft Office documents, databases, social networks,
[games integrated development environments (IDEs) for Windows and Android and pornographic sites Moreover CodeRAT monitors a large](https://www.techtarget.com/searchsoftwarequality/definition/integrated-development-environment#:~:text=An%20IDE%20typically%20contains%20a,is%20executable%20for%20a%20computer.)
-----
u be o b o se do t t es, t o o c a e u que to a a ct s a popu a a a e co e ce s te a d a eb esse ge
Farsi.
This type of monitoring—specifically of pornographic sites, use of anonymous browsing tools, and social network activities—leads us to
believe CodeRAT is an intelligence tool used by a threat actor tied to a government. It is commonly seen in attacks operated by the Islamic
regime of Iran to monitor illegal/immoral activities of their citizens.
The communication methods of CodeRAT are versatile and quite unique. CodeRAT supports communication over Telegram groups using the
bot API or through USB flash drive. It can also act in silent mode, which includes no report back. CodeRAT uses an anonymous, public
uploading site, rather than a dedicated C2 server, and uses anti-detection techniques to limit its usage to 30 days. In addition, it will use the
HTTP Debugger website as a proxy to communicate with its C2 Telegram group.
## CodeRAT Detailed Analysis
**Operation Modes**
CodeRAT has five modes of operation derived from a command line argument:
1. “father” – Get a process ID (PID) from a second command line argument, then kill it and start it with the “continue” command line
argument.
2. “Continue” – Get a PID from a second command line argument, then kill it and delete its .exe, .pdb, and .exe.config files.
3. “Word” – Check if the last modified date of the RAT binary is below 30 days.
_Figure 4: Compile time anti-detection technique_
It will copy itself to %appdata%\desktopmgr.exe. If it fails to copy, it will copy itself to myPictures\deskmgr.exe. If the copy works, it will
execute it with the “Wordbetraied” argument (below) and its own working directory path as a second argument.
1. “Wordbetraied” – Download Aspose.Words.dll from the same GitHub repository and check if a file pass.exe exists in the directory
received in the second command line argument.
1. If the pass.exe file does not exist, it will try to delete files received in second and third arguments.
2. If the pass.exe file exists, it will search all the .docx files in his current directory. For each .docx file, it will rename it to
_[working.docx and will use the LoadOptions class exported by the Aspose.Words.dll to load the document into a Document object](https://reference.aspose.com/words/net/aspose.words/document)_
and set a password from the pass.txt file on the document. Next, it will search the winword process by enumerating all processes
and searching for a process with a Window title that contains the name of the .docx file. It will delete the .docx file and save the
object with the password to a new file. Then it will terminate the winword process and start the new Word with the password file.
2. If none of the four command arguments was used, it will execute a file with the same name but that ends with .exe.bak.
CodeRAT generates a unique ID for each victim with this formula:
_from cpu_id(13) + cpu_id(1,4) + the hard drive volume serial number + cpu_id(4)_
**Commands**
Commands can be received in three methods:
1. Local file – CodeRAT will check if the file command.txt exists under myPictures folder. The content should end with “EOF”.
If it exists, it will read the last command before “EOF”. If it’s equal to “silence”, it won’t report back; if it’s not silent, it will use the
usbFlash to report.
Supported USB commands are: flashextentioncopy, flashcopyfilelist, flashcopyfolderlist (see details in the next section).
2. Manual UI – CodeRAT will get the command from the main UI window (see details in the next section) and use usbFlash to report back
by copying the exfiltrated data to the USB. The USB drive letter will be received from a combobox in the UI. There are two buttons: one
will hide the UI and one doesn’t hide it.
3. Telegram bot API – CodeRAT will use getUpdates Telegram bot API to get messages/commands and for exfiltration. An interesting
feature is that it uses a proxy instead of directly querying the Telegram bot API. The proxy used is: [www.httpdebugger.com](http://www.httpdebugger.com/)
-----
_Figure 5: HTTP Debugger used as a proxy_
CodeRAT parses the HTML response of the HTTP Debugger proxy and extracts the original response of the Telegram bot API:
_
Response Content
{“ok”:true,”result”:[]}
_
Each message will be between brackets and contain at least one “-”, which is the separator between messages.
If the message is the MD5 of * or includes the unique ID of the attackers machine, it will upload files, screen captures, and thumbnail images
[using the public anonymous file upload API: https://api.anonfile.com/upload](https://api.anonfile.com/upload)
_Figure 6: Anonymous file upload example_
_Figure 7: Anonymous file upload example continued_
Then it will send the URL to download the files to the Telegram group using the Telegram bot API.
_Figure 8: Anonymous files upload example_
_Figure 9: URL to download the file_
-----
**Code** **boss** **ode**
CodeRAT will check for “boss” mode every two seconds.
_Figure 10: BossWatch calls CheckBoss function_
If a file boss.txt exists under the myPictures folder and the MD5 of the data in that file is equal to “2A47E576EB06CA284E7B3D92A0412923”,
it will unhide the main window or show the main window and allocate a new main form.
_Figure 11: CheckBoss function unhides the main form window_
This mainForm is the main window that supports manual operation of CodeRAT functionality.
-----
_Figure 12: CodeRAT main form_
CodeRAT includes a second hidden UI form; it will run its logic in a thread if “data” and “zn” directories both exist in the working current
directory.
_Figure 13: CodeRAT ZipExtractor form – only reads files, does not extract them_
The code checks if the location is: “bossmohsen”. Mohsen is a popular Persian name and is probably the private name of one of the attackers
nicknamed the “boss”. CodeRAT’s default folder is under %appdata%\”Desktop Windows Manager”.
CodeRAT includes an unused encryption password: “S14vahsh1@123”
It seems to include the obfuscated name Siavahsh. We found different accounts using this name on Twitter, Facebook, and Instagram, but we
can’t guarantee it belongs to the attackers.
**Attribution**
There were a variety of clues that the threat actor was targeting Iranian victims who are developers, including:
The malicious Word document contains content in the Farsi language.
[The monitoring of the sensitive window named Digikala, which is an Iranian e-commerce company based in Tehran. It has 30 million](https://en.wikipedia.org/wiki/E-commerce)
[visitors per month and is ranked by Alexa as Iran’s third-most visited website.](https://en.wikipedia.org/wiki/Alexa_Internet)
The other sensitive windows being monitored, such as Visual Studio, Python, PhpStorm, and Verilog, also strongly imply the targets are
code developers.
There are indications that the attackers’ names may be Mohsen and Siavahsh, which are common Persian names.
In order to dig deeper we used the bot API getMe and discovered that the bot name was HellChainBot
-----
_Figure 14: getMe bot API result: HellChainBog_
We then used the bot API getChat and discovered that the user name of the attacker’s Telegram group was Mr Moded, with the bio of
“Member of emptiness”.
_Figure 15: Telegram getChat bot API result: Mr Moded_
We were then able to find this GitHub by Mr Moded, which includes a RoboThief Telegram session stealer.
_Figure 16: Mr Moded GitHub repository – RoboThief_
[The Telegram channel https://t.me/MrModedProduct includes the same user name and bio. The image returned by the getChat API query is](https://t.me/MrModedProduct)
also the same image used in the attacker’s Telegram bot.
_Figure 17: Telegram getChat bot API result: Mr Moded_
Below, we’ve included the Mr Moded GitHub repository. At that time of our research, it included only the RoboThief source code.
-----
_Figure 18: Mr Moded GitHub repository with RoboThief source code_
Next, we found a publication from 2020 by a security researcher named Rico Jambor, who analyzed two attacks using RoboThief. Mr Moded,
the developer of RoboThief, contacted Jambor and asked that a clarification be added to the blog that he was not behind the past attack, but
rather just a developer of the code.
_Figure 19: Jambor’s blog post from 2020 regarding RoboThief attacks_
Below are the messages from Mr Moded to Jambor on this topic from 2020:
-----
_Figure 20: Conversation from 2020 between Jambor & Mr Moded_
_Figure 21: Conversation from 2020 between Jambor & Mr Moded Continued_
In August 2022, we contacted Jambor and decided to confront Mr Moded again about the CodeRAT attacks. In the conversation, Mr Moded
didn’t deny the allegation, but instead requested more information about it.
-----
_Figure 22: Conversation from August 2022 between Jambor & Mr Moded_
_Figure 23: Conversation from August 2022 between Jambor & Mr Moded Continued_
After we provided Mr Moded proof that he was behind the development of the code, he published the source code on his GitHub account,
proving we were correct and that he was indeed the developer of CodeRAT.
The code repository is under:
[https://github.com/MrModed/DWM](https://github.com/MrModed/DWM)
-----
e o s t e desc pt o oded p o ded o Code t e de e op e t sou ce code, c deta s o t s d e e t t a e st g
RATs:
⭕ Most powerful TELEGRAM RAT, USB RAT ⭕
What’s the difference with other RATS?
Huge list of commands
In development source
Open source
ANTI FILTER Ability
**The New Published UI**
The UI below is used for generating a command for CodeRAT. This code is not intended to be executed on the victim’s side; it’s a helper tool
for the attacker to generate obfuscated commands. We achieved it by the publication of this code by Mr Moded.
_Figure 24: CodeRAT UI_
**Capabilities**
-----
Code suppo ts app o ate y 50 d e e t co a ds e e a t to es, p ocess act o s, a d stea g capab t es o sc ee captu es,
clipboards, files, and environmental info. It also supports commands for upgrading or installing other malware binaries.
**command** **functionality** **comment**
showdrivers Drive list
screenshot Screen capture [The screen captures are uploaded to https://api.anonfile.com/upload. The](https://api.anonfile.com/upload)
URL to download the file is sent to the Telegram group.
systeminfo System info Username,Machine Name,Id,Architecture,Screen Resolution,Windows
Version,AntiVirus,Cpu id,Cpu Name,Ram,Gpu Name
getclipboard Clipboard theft
processlist Process list
alive System info Same as systeminfo
die Terminate own
process
activewindow Active window
userstate User state Active Window, Important opened window (see appendix A for a list of
supported window titles), Cpu Usage, RAM Usage, GPU Usage, Is any
song playing using com object AudioMeterInformation C02216F6-8C674B5B-9D00-D008E73E0064
getcurrenttasks Get current tasks Id, LoopCount, RawMethodToProcess, Time, BackgroundWorker,
IsRunning, Delay
lockedfiles List of locked files Path list of files generated by the file lock command
installedapps Installed apps Wmi win32_product query
pathes Special folders
locations
applicationData, commonApplicationData, Desktop
peinfo PE info Process ID, name, current dir name and path
usagecheck GPU usage Check if usage is 20% or above
Showfolder Dir list
Crawlfolder Dir list
Crawlextention Dir list filtered by
extension’s list
Dir list only on hardcoded “c:” drive, excluding program files, program files
x86, appdata and commonAppData folders. The extensions should be
separated by comma.
Fileinfo File info Full file name and size in KB, extension, last modified date, isReadOnly
Downloadanonfile Download file
using Anonfile
api.
Downloaddirectfile Same as
Downloadanonfile
Uploadfile Upload file
usingAnonfile api
3 Arguments: ExecuteDownloadFile (True/False), file url, saved directory
path.
Using webClient.DownloadData.
Copy file to appData\Desktop Windows Manager. Using uploadBits
[https://api.anonfile.com/upload](https://api.anonfile.com/upload)
The URL to download the file is sent to the Telegram group.
Upload folder Upload folder Upload file recursively
Deletefile Delete file
Replacefile Replace file Download file from anonymous URL and replace the sourcepath file
Killpid Kill process by
process ID
Update Download and
execute from url
Updatedirect Same as update
Download a file from URL and execute it
-----
**command** **functionality** **comment**
Setbot Set Telegram bot
token
Plantask
Run command in
delay
Arguments: number of commands, command list separated by “-”, each
command encoded in base 64, delay time. The user name and machine
name are sent to the Telegram group channel with the output of the
command.
If the output is less than 1024 using “https://api.telegram.org/bot
5379338428:AAFkD8lIvAK1pvUDQYu-siFHUOxo7JlaziQ;/sendMessage?
chat_id=968019073&text=output”
The developer does not handle the case with 1024-4096 bytes
Remove by task ID
Unplantask Remove
command to run
Processsuspantion Suspend process By using suspendThread win API
processresume Resume process By using resumeThread win API on each thread
Processsuspantionextra
Processresumeextra
Suspend
processes by
name or by
windows title
Resume
processes by
name or by
windows title
Suspend process by name or, if its null, suspend all processes that
contain the windows title or if process name
Resume processes by name or by windows title.
Filelock File lock Open handle to the file and leave it open
fileunlock| Unlock File
Httpgetrequest HTTP GET HTTP GET request to a URL
Flashcopyfilelist Copy files to USB Get a path to a file that contains a list of paths to be copied to a USB
removable drive
flashcopyfolderlist| Copy entire
folders to USB
Get a path to a file that contains a list of folders to be copied to a USB
removable drive
Flashextentioncopy Copy files by extension to USB only from hardcoded “c:” drive excluding
program files, program files x86, appdata and commonAppData folders.
The extensions should be separated by a comma.
Thumbimg Thumb image [The images are uploaded to https://api.anonfile.com/upload](https://api.anonfile.com/upload)
The URL to download the file is sent to the Telegram group.
Folderthumb Recursively thumb images collections.
Only jpeg and jpg file extension are collected
Windowsunprotect Decrypt using
Windows API
Decrypt using CryptUnprotectData
Tag Tag Add Tag name to Tag file
Processstart Process
## Conclusion
SafeBreach is passionate about improving security on a global level and, as an organization, we are committed to openly sharing our
research with the broader security community. By sharing information specifically about our discovery of CodeRAT, our goal is to raise
awareness about this new, unrecognized type of malware that leverages a relatively new technique of using an anonymous uploads site as a
C2 server. We also hope to warn the developer community about the fact that they are particularly vulnerable to being targeted by this attack.
Finally, we hope organizations and individuals can use the indicators of compromise (IOCs) and YARA rules provided in Appendix A to better
detect and protect themselves against this threat.
As with any newly identified threat, SafeBreach has added coverage for CodeRAT to the [SafeBreach platform, so customers can immediately](https://www.safebreach.com/our-platform/)
simulate this attack, verify whether they are adequately protected, and take any necessary remedial action.
## Appendix A: IOCs list
**Docx**
-----
5d6 ccc8 ec3c3c6 86dcaa5d9 69 0b 69 5 50 ee 0 59b 35cd c55 b
Parsian – about hardware design languages like Verilog and VHDL.
**Contains XML file with DDE exploit 2a4e5e6f403ce913cb073d5c5d1fd999d8ae79deb04915b9777525e05e21a2b2**
https://raw.githubusercontent.com/alberfrancis/camo/main/432gsbse5
**432gsbse5 – current version of CodeRAT**
CD53FBA6DDD4AE4EF7A5747C6003236C85791477854CC1B7CE00E0F8EE7677D9
**2.exe – another version of CodeRAT from April 2022**
F22041B2EA1FD6D8E7F6F1DB7469DEC61B000D067AB4BE2C5B0654EDFECBDDB6
https://api.telegram.org/bot5379338428:AAFkD8lIvAK1pvUDQYu-siFHUOxo7JlaziQ/getchat?chat_id=968019073
https://api.telegram.org/bot1335021029:AAHbdgFSOPJ5KtcF1YMdtsN2jc7Yqu6Tou8/getchat?chat_id=968019073
**YARA**
rule CodeRAT
{
meta:
source = “SafeBreach.com”
date = “2022-08-23”
description = “Detects CodeRAT binary”
strings:
$interesting_string0 = “2A47E576EB06CA284E7B3D92A0412923”
$interesting_string1 = “httpdebugger.com”
$interesting_string2 = “wordbetraied”
$interesting_string3 = “Newtonsoft.Json.dll”
$interesting_string4 = “working.docx”
$interesting_string5 = “wifipasswords”
$interesting_string6 = “pass.txt”
$interesting_string7 = “boss.txt”
$interesting_string8 = “command.txt”
condition:
all of ($interesting_*)
}
## Appendix B: Sensitive Windows Title List to Monitor
CodeRAT’s main goal is to monitor the victim’s activity on social networks and on their machine. CodeRAT monitors a large number of
window titles, two of which are unique to Iranian victims: a popular Iranian e-commerce site and a web messenger in Farsi.
[CodeRAT monitors webmail, documents editors, databases, social networks, games, IDEs for Windows and Android, and pornographic](https://www.techtarget.com/searchsoftwarequality/definition/integrated-development-environment#:~:text=An%20IDE%20typically%20contains%20a,is%20executable%20for%20a%20computer.)
sites.The monitoring of pornographic sites and use of anonymous browsing tools and social network activities is very common to attacks
operated by the Islamic regime of Iran to monitor illegal\immoral activities of their citizens.
It is also very interesting that there is a focus on developers’ victims, and the infection exploit document used to install CodeRAT is also
related to hardware developers. These targets are more unique to Iranian-related attacks.
-----
## Iranian Sites
[Digikala – An Iranian e-commerce company based in Tehran. It has 30 million visitors per month and is also ranked by Alexa as Iran’s](https://en.wikipedia.org/wiki/E-commerce)
third-most visited website.
Eitaa – A web messenger in the Farsi language.
## Webmails
Gmail
Yahoo
account.live
Outlook
Protonmail
## IDEs
Visual Studio
PhpStorm
Pycharm
WebStorm
NetBeans
Eclipse
Android Studio
RubyMine
Python
## Financial- and Crypto-Related Accounts
Nicehash – cryptocurrency platform for mining
Paypal
## Social Networks
Telegram
WhatsApp
Facebook
Instagram
Clubhouse
## Pornographic Sites
pornhub
xnxx
xvideos
Xhamster
## Documents, Images & Movies
Nvidia
Vlc
Photoshop
Photos
Microsoft Word
Microsoft Powerpoint
Windows Media Player
Movies & TV
Winrar
## Databases
SQL server
Sqlite
## Anonymous Browsing & Virtual Machines
-----
to b o se
task manager
Vmware
## Games
Epic Games
Blizzard
## Appendix C: Source Code Default File Extensions List
CodeRAT will try to exfiltrate extensions of source code files and databases. The default extensions are:
.sln,.addin,.appx,.appxmanifest,.appxsym,.appxupload,.asax,.ascx,.ashx,.asm,.asmx,.asp,.aspx,.axd,.bsc,.c,.cc,.cd,.clw,.cod,.config,.cpp,.cs,.csht
ms,.msha,.mshi,.msixbundle,.msixupload,.myapp,.natvis,.ncb,.odl,.orderedtest,.props,.psess,.rc,.rc2,.rct,.rdlc,.refresh,.res,.resjson,.resources,.res
ms,.au,.cls,.coverage,.dlx,.dsp,.dsw,.eps,.generictest,.hdmp,.ilk,.ipp,.mdb,.mdp,.mpe,.mpeg,.mpg,.msm,.ocx,.olb,.pcx,.pri,.qt,.ra,.ram,.rll,.rpt,.src,.s
base,.tga,.tlb
## Credits & References
I would like to credit Rico Jambor for the first discovery of RoboThief and for helping us contact Mr Moded (the CodeRAT developer).
[https://blog.rico-j.de/telegram-session-stealer](https://blog.rico-j.de/telegram-session-stealer)
## Get the latest
research and news
-----