Skip to content
MalwareWiki

RAT

BookCodes RAT

aka BookCodesTea

BookCodesRAT is a remote access trojan that uses HTTP(S) for communication.

BookCodes RAT, also known as BookCodesTea, is a Windows rat operated by Lazarus Group.

Background

BookCodesRAT is a remote access trojan that communicates over HTTP(S). It implements roughly 25 commands covering filesystem operations on the victim, basic process management, and the download and execution of further tools from the attacker's arsenal; these are referenced by 32-bit integers beginning at the value 0x97853646.

For its C&C traffic, BookCodesRAT relies primarily on compromised South Korean web servers and is typically aimed at South Korean targets.

Source: Malpedia (Fraunhofer FKIE).