SecurityWeek reports that the new CodeRAT backdoor had its source code released online by its developer after being confronted by SafeBreach security researchers.
Malicious Word documents with a Dynamic Data Exchange exploit have been used to deploy CodeRAT, which has nearly 50 various commands that could be leveraged for activity monitoring, data theft, and malware deployment, according to a SafeBreach report. Aside from having five operational modes, CodeRAT also enables unique ID generation and command receipt through local files, Telegram bot API, or the main user interface.
"This type of monitoring specifically of pornographic sites, use of anonymous browsing tools, and social network activities leads us to believe CodeRAT is an intelligence tool used by a threat actor tied to a government," said SafeBreach.
Iranian developers have been identified as the key target of CodeRAT, which researchers found was developed by Mr. Moded who was also behind the RoboThief Telegram session stealer.
New attacks with the updated SysUpdate toolkit have been deployed by Chinese advanced persistent threat operation Budworm, also known as APT27, Emissary Panda, Bronze Union, Lucky Mouse, Iron Tiger, and Red Phoenix, against an Asian government and a Middle East-based telecommunications provider, reports The Hacker News.
Forty-five malicious NPM and PyPI packages have been deployed by threat actors to facilitate extensive data theft operations as part of a campaign that commenced on Sept. 12, according to BleepingComputer.
Sixty thousand emails from U.S. State Department accounts were noted by a staffer working for Sen. Eric Schmitt, R-Mo., to have been exfiltrated by Chinese threat actors during the widespread compromise of Microsoft email accounts that commenced in May, according to Reuters.