Story image

Cobian RAT author crowdsourcing malware botnet distribution

07 Sep 2017

Zscaler has discovered a remote access Trojan (RAT) designed by an author who appears to be crowdsourcing the payload and infection spread.

Researchers have been watching the Cobian RAT since February this year. It had been advertised for free in multiple underground markets for cybercriminals and had many similarities to the njRAT/H-Worm family, of which there are many variants.

The njRAT Trojan is one of the most successful of its kind in the wild because it comes with online support and tutorials for cybercriminals, Zscaler says.

It has reportedly been used in attacks against the international energy sector and has been spotted in Australia and Asia.

The new Cobian RAT is injected with a backdoor that fetches command & control information from a Pastebin URL that is controlled by the malware’s author. The author can then control the systems infected by the payloads.

Notably, researchers found that the malware uses secondary operators to form the payload and spread infections, suggesting a crowdsourcing model to its distribution.

Because the malware has a backdoor, the author can control all systems in the Cobian botnets, and change the command & control server information that secondary operators configured.

“The original author of the RAT builder is assuming that there will be some testing performed by the second-level operators and that they will mostly likely use the same system for both bot client and server applications,” researchers state.

The Cobian RAT has been spotted in the wild. It appears to be from a compromised Pakistan defence and telecommunications solution website.

The RAT was hidden in a ZIP archive as a Microsoft Excel spreadsheet. What’s more, the file’s certificate masquerades as VideoLAN, the company responsible for VLC media player.

In amongst the bot configuration, researchers noticed more similarities between Cobian and njRAT.

The Cobian bot contains a keylogger and has access to screen capture, webcam, voice recorder, file browser, remote command shell, dynamic plugins and install/uninstall functions.

Amongst other supported commands are the ability to run executables or scripts from local disks or remote URLs, remote desktops, chat, password stealer and system manager.

“It is ironic to see that the second level operators, who are using this kit to spread malware and steal from the end user, are getting duped themselves by the original author. The original author is essentially using a crowdsourced model for building a mega Botnet that leverages the second level operators Botnet,” ressearchers conclude.

Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Norwegian aluminium manufacturer hit hard by LockerGoga ransomware attack
“IT systems in most business areas are impacted and Hydro is switching to manual operations as far as possible.”
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.
Unencrypted Gearbest database leaves over 1.5mil shoppers’ records exposed
Depending on the countries and information requirements, the data could give hackers access to online government portals, banking apps, and health insurance records.
Mozilla launches Firefox Send, an encrypted file transfer service
Mozille Firefox has launched a free encrypted file transfer service that allows people to securely share files from any web browser – not just Firefox.