A previously unseen remote-access trojan (RAT) that uses Microsoft to target Farsi-speaking code developers in Iran has been detected by researchers at SafeBreach Labs.
The previously undiscovered CodeRAT sports around 50 remote commands “relevant to files, process actions, and stealing capabilities of screen captures, clipboards, files, and environmental info” and is exploiting a bug in Microsoft’s data communications technology to monitor Farsi-speaking coders, said the cyber analyst.
Farsi is a language spoken by roughly half the population of hardline Islamic state Iran, predominantly in the west of the country.
CodeRAT’s monitoring capacity covers webmail including Gmail, Outlook, Yahoo and Protonmail, Microsoft office documents, social media networks including Telegram, WhatsApp, Facebook and Instagram, games, and adult content sites including pornhub and xvideos.
SafeBreach believes the latter suggests that CodeRAT is being used by authorities in the Islamist regime to police citizens suspected of engaging in “immoral and illegal activities.”
“Once executed, the main goal of CodeRAT is to monitor the victim’s activity on social networks and local machines,” said SafeBreach, adding that it also found the spyware keeping tabs on two browser windows that “are unique to Iranian victims” – e-commerce site Digikala, and Farsi-language web messenger program Eitaa.
Based in the capital Tehran, Digikala enjoys 30 million users per month, although SafeBreach believes that Iranian code developers are the prime targets of CodeRAT.
“The other sensitive windows being monitored, such as Visual Studio, Python, PhpStorm, and Verilog, also strongly imply the targets are code developers,” it added. “There are indications that the attackers’ names may be Mohsen and Siavahsh, which are common Persian names.”
SafeBreach’s investigation subsequently traced CodeRAT back to a Mr Moded, whom it confronted after proving that he was responsible for creating the program.
“After we provided Mr Moded proof that he was behind the development of the code, he published the source code on his GitHub account, proving we were correct and that he was indeed the developer of CodeRAT,” said SafeBreach.
Not one to shy away from publicity, Mr Moded went on to boast of his creation’s capabilities, listing its superior features to other RATs including its “huge list of commands” and “anti-filter ability.”
An authoritarian regime run according to strict religious principles, Iran has drawn criticism from international observers for a proposed new law that would crack down on its citizens’ internet freedom.
More from Cybernews:
Subscribe to our newsletter