BookCodes RAT (Malware Family)

BookCodes RAT

aka: BookCodesTea

VTCollection

BookCodesRAT is a remote access trojan that uses HTTP(S) for communication. It supports around 25 commands that include operations on the victim’s filesystem, basic process management and the download and execution of additional tools from the attacker’s arsenal. They are indexed by 32-bit integers, starting with the value 0x97853646.

BookCodesRAT uses mostly compromised South Korean web servers for the C&C traffic and is usually deployed against South Korean targets.

References

2021-10-08 ⋅ Virus Bulletin ⋅ Seongsu Park
Multi-universe of adversary: multiple campaigns of the Lazarus group and their connections
Dacls AppleJeus AppleJeus Bankshot BookCodes RAT Dacls DRATzarus LCPDot LPEClient

2021-10-07 ⋅ Virus Bulletin ⋅ Byeongjae Kim, Dongwook Kim, Taewoo Lee
Operation Bookcodes – targeting South Korea
BookCodes RAT LPEClient

2020-12-23 ⋅ Kaspersky Labs ⋅ Seongsu Park
Lazarus covets COVID-19-related intelligence
BookCodes RAT wAgentTea

2020-11-16 ⋅ ESET Research ⋅ Anton Cherepanov, Peter Kálnai
Lazarus supply‑chain attack in South Korea
BookCodes RAT Lazarus Group

2020-06-29 ⋅ KISA ⋅ KrCERT
OPERATION BOOKCODES TTPs #2
BookCodes RAT

2020-04-01 ⋅ KISA ⋅ KrCERT
OPERATION BOOKCODES TTPs #1
BookCodes RAT

Yara Rules

[TLP:WHITE] win_bookcodesrat_auto (20260504 | Detects win.bookcodesrat.)

rule win_bookcodesrat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.bookcodesrat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.bookcodesrat"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488dbb40080000 66f2af 48f7d1 48ffc9 750d b960ea0000 ff9360360000 }
            // n = 7, score = 100
            //   488dbb40080000       | lea                 ecx, [ebp + 1]
            //   66f2af               | inc                 ebp
            //   48f7d1               | lea                 eax, [ebp + 4]
            //   48ffc9               | dec                 eax
            //   750d                 | lea                 edx, [esp + 0x78]
            //   b960ea0000           | je                  0x50e
            //   ff9360360000         | dec                 eax

        $sequence_1 = { 85c0 750d ff15???????? 418985a8010000 84db 7431 c744245002000000 }
            // n = 7, score = 100
            //   85c0                 | lea                 edx, [esp + 0x30]
            //   750d                 | dec                 eax
            //   ff15????????         |                     
            //   418985a8010000       | lea                 ecx, [ebp + 0x10]
            //   84db                 | inc                 ecx
            //   7431                 | call                dword ptr [esp + 0x37a8]
            //   c744245002000000     | inc                 esp

        $sequence_2 = { 735e 4d85ed 488b5c2420 0f8432feffff 498bdd }
            // n = 5, score = 100
            //   735e                 | inc                 ebp
            //   4d85ed               | xor                 eax, eax
            //   488b5c2420           | dec                 eax
            //   0f8432feffff         | lea                 edx, [ebx + 0x418]
            //   498bdd               | inc                 ecx

        $sequence_3 = { 41ffd7 8b5d10 8b7d00 4903dc 4903fc 488bf0 48833b00 }
            // n = 7, score = 100
            //   41ffd7               | dec                 eax
            //   8b5d10               | mov                 ecx, edi
            //   8b7d00               | dec                 esp
            //   4903dc               | mov                 eax, ebx
            //   4903fc               | mov                 edx, 0x9785364f
            //   488bf0               | dec                 eax
            //   48833b00             | mov                 ecx, edi

        $sequence_4 = { 48897330 ebad 48ff4b48 33c0 eb0d 488b4328 }
            // n = 6, score = 100
            //   48897330             | mov                 esi, ecx
            //   ebad                 | dec                 ebp
            //   48ff4b48             | mov                 esp, ecx
            //   33c0                 | inc                 ebp
            //   eb0d                 | mov                 ebp, eax
            //   488b4328             | dec                 esp

        $sequence_5 = { ff15???????? 488d9508080000 488bcf 488983f8360000 ff15???????? 488d5598 488bcf }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   488d9508080000       | inc                 ecx
            //   488bcf               | cmp                 ebx, 0x9785365a
            //   488983f8360000       | je                  0x201a
            //   ff15????????         |                     
            //   488d5598             | inc                 ecx
            //   488bcf               | add                 ebx, 0x687ac9ba

        $sequence_6 = { ff15???????? 488bf0 4885c0 0f8493010000 488d1556320100 488bc8 ff15???????? }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   488bf0               | je                  0x190e
            //   4885c0               | inc                 ecx
            //   0f8493010000         | mov                 byte ptr [esp], 1
            //   488d1556320100       | inc                 ecx
            //   488bc8               | cmp                 byte ptr [esp], 0
            //   ff15????????         |                     

        $sequence_7 = { 488d0de3780200 8905???????? 488d051ee40100 4889442458 e8???????? 488d0d09a00100 48891d???????? }
            // n = 7, score = 100
            //   488d0de3780200       | lea                 eax, [ebp - 0x80]
            //   8905????????         |                     
            //   488d051ee40100       | inc                 ecx
            //   4889442458           | mov                 ecx, 0x200
            //   e8????????           |                     
            //   488d0d09a00100       | mov                 edx, 1
            //   48891d????????       |                     

        $sequence_8 = { 4053 4881ecb0030000 48c7442420feffffff 488bd9 488d8c24f0010000 488d93f0350000 41b8b8010000 }
            // n = 7, score = 100
            //   4053                 | dec                 eax
            //   4881ecb0030000       | add                 esp, 0x50
            //   48c7442420feffffff     | inc    ecx
            //   488bd9               | pop                 esi
            //   488d8c24f0010000     | dec                 eax
            //   488d93f0350000       | mov                 ebp, dword ptr [esp + 0x70]
            //   41b8b8010000         | dec                 eax

        $sequence_9 = { 498bd4 4c3b6310 720b b957000780 e8???????? cc 4863c8 }
            // n = 7, score = 100
            //   498bd4               | jl                  0xcfd
            //   4c3b6310             | dec                 eax
            //   720b                 | arpl                dx, ax
            //   b957000780           | mov                 dword ptr [esp + 0x50], 0x58455363
            //   e8????????           |                     
            //   cc                   | mov                 dword ptr [esp + 0x54], 0x5d71457e
            //   4863c8               | mov                 byte ptr [ebp + eax + 0x508], cl

    condition:
        7 of them and filesize < 544768
}

Download all Yara Rules

BookCodes RAT Propose Change

References

Yara Rules

BookCodes RAT