SafeBreach Uncovers New Remote Access Trojan (RAT)

SafeBreach Labs uncovered a new targeted remote access Trojan named CodeRAT that targets Farsi-speaking developers using a Word document with a DDE exploit. It features a versatile command set, uses Telegram bot API for C2 and public file-upload services for exfiltration, and its developer was later exposed on public GitHub. Hashtags: #CodeRAT #HellChainBot #MrModed #RoboThief #Digikala

Keypoints

CodeRAT is a new targeted RAT aimed at Farsi-speaking code developers, delivered via a Word document with a DDE exploit.
The malware supports ~50 commands and five operational modes, including stealth and self-modification behaviors.
CodeRAT communicates with attackers through Telegram bot API and also via an anonymous file-upload proxy, avoiding a conventional C2 server.
The threat actor behind CodeRAT has been linked to the developer alias “Mr Moded” and a Telegram group; SafeBreach traced connections to RoboThief and GitHub repositories.
Initial access, execution, and exfiltration leverage a mix of DDE macros, public proxies, and USB-based reporting, with anti-detection techniques observed.
IOCs and YARA rules are provided to help defenders detect and simulate CodeRAT in security platforms.
SafeBreach publicly shares the research to raise awareness about this unique C2 usage pattern and its targets, particularly Iranian developers.

MITRE Techniques

[T1204.002] User Execution: Malicious File – CodeRAT is delivered via a Microsoft Word document containing a DDE exploit used to deliver malicious code within a macro in the document. Quote: ‘For initial access, the threat actor uses a Microsoft Word document that includes a DDE exploit, a well-known technique used by threat actors to deliver malicious code within a macro in the document.’
[T1059.005] Visual Basic – Office macro execution via a Word document using DDE to trigger payloads. Quote: ‘the document used in this attack contains information regarding hardware design languages like Verilog and very high-speed integrated circuit hardware description language (VHDL).’ (contextual to macro-based execution)
[T1090] Proxy – CodeRAT uses a proxy to route C2 traffic. Quote: ‘It will use the HTTP Debugger website as a proxy to communicate with its C2 Telegram group.’
[T1071.001] Web Protocols – CodeRAT communicates with attackers via Telegram bot API and USB, demonstrating Web Protocols for C2. Quote: ‘CodeRAT communicates over Telegram groups using the bot API or through USB flash drive.’
[T1027] Obfuscated/Compressed Files and Information – CodeRAT shows obfuscation clues (unused encryption password) and a possibly obfuscated developer alias. Quote: ‘CodeRAT includes an unused encryption password: “S14vahsh1@123” … obfuscated name Siavahsh.’
[T1113] Screen Capture – Command ‘screenshot’ enables screen captures uploaded to anonfile. Quote: ‘screenshot – Screen capture The screen captures are uploaded to https://api.anonfile.com/upload.’
[T1082] System Information Discovery – Command ‘systeminfo’ gathers system details. Quote: ‘systeminfo – System info Username,Machine Name,Id,Architecture,Screen Resolution,Windows Version,AntiVirus,…’
[T1115] Clipboard Data – Command ‘getclipboard’ steals clipboard data. Quote: ‘getclipboard – Clipboard theft’

Indicators of Compromise

[Domain] Targeted Iranian sites – digikala.com, eitaa.com, and other Iranian domains
[Domain] Telegram-related domains – t.me, api.telegram.org
[URL] GitHub hosting – https://raw.githubusercontent.com/alberfrancis/camo/main/432gsbse5, https://github.com/MrModed/DWM
[URL] Anonymous file upload endpoints – https://api.anonfile.com/upload, https://anonfile.com
[Hash] CD53FBA6DDD4AE4EF7A5747C6003236C85791477854CC1B7CE00E0F8EE7677D9 – CodeRAT current version
[Hash] F22041B2EA1FD6D8E7F6F1DB7469DEC61B000D067AB4BE2C5B0654EDFECBDDB6 – 2.exe, April 2022 version
[Filename] 432gsbse5 – initial payload name in GitHub repository
[Filename] 2.exe – another CodeRAT variant