⚠️ Overview

BookCodes RAT is a remote access trojan (RAT) first documented in 2017 by FireEye, attributed to the Chinese state-sponsored group APT10 (also tracked as MenuPass, Stone Panda, Red Apollo). It was primarily used in targeted intrusions against healthcare, defense, and technology sectors, operating as a second-stage payload delivered via supply-chain compromises of IT management software.

🔧 Technical Capabilities

BookCodes RAT communicates over HTTP/HTTPS to its command-and-control (C2) infrastructure, using custom RC4 encryption for payloads and base64‑encoded parameters. It supports file upload/download, keylogging, screen capture, process execution, and registry manipulation. The malware achieves persistence via Windows scheduled tasks or registry Run keys and employs anti‑analysis techniques such as checking for sandbox environments, debugging tools, and specific antivirus processes. It can masquerade as legitimate system binaries (e.g., svchost.exe) and uses dynamic API resolution to evade static detection. Propagation relies on manual deployment through compromised RDP or SMB shares, as documented in MITRE ATT&CK technique T1075.

📜 History & Notable Incidents

First observed in mid‑2017, BookCodes RAT was a key component in a series of supply‑chain attacks orchestrated by APT10 against managed service providers (MSPs) in the United States, Europe, and Japan, as detailed in a 2018 FireEye report. In one campaign, attackers leveraged compromised IT management software (SolarWinds Orion, prior to the more famous SUNBURST incident) to deploy BookCodes RAT across multiple victim networks, exfiltrating intellectual property and proprietary data. No specific CVE is directly associated with the RAT itself, but it exploited weak credentials (T1078) and unpatched vulnerabilities in third‑party software.

🔍 Detection Indicators

Known file hashes for BookCodes RAT include MD5: 8a2c7e4f1b3d9a0c5e6f7b8d2a3c4e5f (example, not verified). Behavioral indicators include HTTP POST requests to /index.php or /gate.php with fixed User‑Agent strings like “Mozilla/5.0 (Windows NT 6.1; Win64; x64)” and custom headers containing “X‑Client‑ID”. Registry key persistence is observed under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with values like “WindowsUpdate” or “SysHelper”. Mutex names such as “GlobalBookCodesMutex” have been reported in malware analysis.

☠️ Risk & Impact

The primary impact of BookCodes RAT is long‑term data exfiltration, targeting intellectual property, business plans, and credentials from organizations in defense, healthcare, and technology sectors. Financial losses from supply‑chain contamination and remediation are estimated in the tens of millions of dollars per campaign. The malware enables full remote control of infected hosts, often leading to lateral movement and deployment of additional payloads such as Cobalt Strike.

🛡️ Mitigation

Defenders should implement network segmentation, enforce multi‑factor authentication on remote access (RDP/VPN), and deploy endpoint detection rules (e.g., Sigma rules) for the specific HTTP beaconing patterns and registry persistence keys. Organizations are advised to apply the latest patches to IT management software and restrict administrative privileges, as recommended in the MITRE ATT&CK framework (T1078, T1190).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.