10/29/2022 0 Comments Http rat download![]() ![]() ![]() It will copy itself to %appdata%\desktopmgr.exe. “Word” – Check if the last modified date of the RAT binary is below 30 days.įigure 4: Compile time anti-detection technique.“Continue” – Get a PID from a second command line argument, then kill it and delete its.“father” – Get a process ID (PID) from a second command line argument, then kill it and start it with the “continue” command line argument.CodeRAT Detailed AnalysisĬodeRAT has five modes of operation derived from a command line argument: In addition, it will use the HTTP Debugger website as a proxy to communicate with its C2 Telegram group. CodeRAT uses an anonymous, public uploading site, rather than a dedicated C2 server, and uses anti-detection techniques to limit its usage to 30 days. It can also act in silent mode, which includes no report back. CodeRAT supports communication over Telegram groups using the bot API or through USB flash drive. The communication methods of CodeRAT are versatile and quite unique. It is commonly seen in attacks operated by the Islamic regime of Iran to monitor illegal/immoral activities of their citizens. This type of monitoring-specifically of pornographic sites, use of anonymous browsing tools, and social network activities-leads us to believe CodeRAT is an intelligence tool used by a threat actor tied to a government. Moreover, CodeRAT monitors a large number of browser window titles, two of which are unique to Iranian victims: a popular Iranian e-commerce site and a web messenger in Farsi. HTTP RAT DOWNLOAD WINDOWSThe monitoring capabilities include almost 50 commands and allow the attacker to monitor webmail, Microsoft Office documents, databases, social networks, games, integrated development environments (IDEs) for Windows and Android, and pornographic sites. Once executed, the main goal of CodeRAT is to monitor the victim’s activity on social networks and on local machines. The document used in this attack contains information regarding hardware design languages like Verilog and very high-speed integrated circuit hardware description language (VHDL). HTTP RAT DOWNLOAD CODECodeRAT Overviewįor initial access, the threat actor uses a Microsoft Word document that includes a DDE exploit, a well-known technique used by threat actors to deliver malicious code within a macro in the document. Finally, we’ll provide insight into our conversation with the developer of CodeRAT and details about how SafeBreach is sharing this information with the security community. We’ll also provide a deep-dive into the technical details behind the RAT, including its operational modes and available commands. In this research report, we will provide a high-level overview of CodeRAT, including when it first appeared, what it does, the type of communications it uses, and who might be behind it. Instead of using a dedicated C2 server, CodeRAT is using a public anonymous file upload API. CodeRAT is using a unique exfiltration and command and control mechanism.We were able to identify the developer of CodeRAT who, after being confronted by us, decided to publish the source code of CodeRAT in his public GitHub account. ![]() It leverages a previously undiscovered remote access trojan (RAT)-dubbed CodeRAT by SafeBreach Labs researchers-that supports ~50 commands.It appears to target Farsi-speaking code developers by using a Microsoft Word document that includes a Microsoft Dynamic Data Exchange (DDE) exploit.As part of this ongoing effort, we recently discovered a new targeted attack we believe is compelling for four main reasons: SafeBreach Labs researchers are constantly monitoring the hacker underground, sourcing intelligence feeds, and conducting original research to uncover new threats and ensure our Hacker’s Playbook provides the most comprehensive collection of attacks. Author: Tomer Bar, Director of Security Research, SafeBreach ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |