Now, a Remote Access Trojan (Cobian RAT) builder kit that was recently spotted on multiple underground hacking forums for free found containing a backdoored module that aims to provide the kit’s authors access to all of the victim’s data.
Dubbed Cobian RAT, the malware has been in circulation since February of this year and has some similarities with the Cobian and H-Worm family of malware, which has been around since at least 2013.
According to ThreatLabZ researchers from Zscaler, who discovered the backdoored nature of the malware kit, the “free malware builder” is likely capable of allowing other wannabe hackers to build their own versions of the Cobian RAT with relative ease.
Once the criminals create their own version of malware using this free builder, they can then effectively distribute it via compromised websites or traditional spam campaigns to victims all over the world and is capable of recruiting affected devices into a malicious botnet.
The Cobian RAT then steals data on the compromised system, with the capability to log keystrokes, take screenshots, record audio and webcam video, install and uninstall programs, execute shell commands, use dynamic plug-ins, and manage files.
Cyber Criminals Want to Hack Wannabe Hackers
Now, if you get excited by knowing that all these capabilities offered by the original authors of the malware builder kit are free as they claim, you are mistaken. Cobian RAT
Unfortunately, the custom RATs created using this free Cobian RAT malware builder kit has a hidden backdoor module, which silently connects to a Pastebin URL that serves as the kit authors’ command-and-control (C&C) infrastructure.
The backdoor, at any time, can be used by the original authors of the kit to issue commands to all RATs built on the top of their platform, eventually putting both wannabe hackers and compromised systems infected by them at risk.
“It is ironic to see that the second level operators, who are using this kit to spread malware and steal from the end user, are getting duped themselves by the original author,” Deepen Desai, senior director of security research at CobianRAT
“The original author is essentially using a crowdsourced model for building a mega Botnet that leverages the second level operators Botnet.” CobianRAT
The researchers also explain that the original Cobian developer is “relying on second-level operators to build the RAT payload and spread infections.”
The original author then can take full control of all the compromised systems across all the Cobian RAT botnets, thanks to the backdoor module. They can even remove the second-level operators by changing the C&C server information configured by them.
A recently observed unique Cobian RAT payload by the researchers reportedly came from a Pakistan-based defence and telecommunication solution website (that was potentially compromised) and served inside a .zip archive masquerading as an MS Excel spreadsheet. CobianRAT
The bottom line: Watch out the free online stuff very carefully before using them
Zscaler has discovered a remote access Trojan (RAT) designed by an author who appears to be crowdsourcing the payload and infection spread.
Researchers have been watching the Cobian RAT since February this year. It had been advertised for free in multiple underground markets for cybercriminals and had many similarities to the njRAT/H-Worm family, of which there are many variants.
The njRAT Trojan is one of the most successful of its kind in the wild because it comes with online support and tutorials for cybercriminals, Zscaler says. CobianRAT
It has reportedly been used in attacks against the international energy sector and has been spotted in Australia and Asia.
The new Cobian RAT is injected with a backdoor that fetches command & control information from a Pastebin URL that is controlled by the malware’s author. The author can then control the systems infected by the payloads.
Notably, researchers found that the malware uses secondary operators to form the payload and spread infections, suggesting a crowdsourcing model to its distribution.
Because the malware has a backdoor, the author can control all systems in the Cobian botnets, and change the command & control server information that secondary operators configured.
“The original author of the RAT builder is assuming that there will be some testing performed by the second-level operators and that they will mostly likely use the same system for both bot client and server applications,” researchers state.
The Cobian RAT has been spotted in the wild. It appears to be from a compromised Pakistan defence and telecommunications solution website. CobianRAT
The RAT was hidden in a ZIP archive as a Microsoft Excel spreadsheet. What’s more, the file’s certificate masquerades as VideoLAN, the company responsible for VLC media player.
In amongst the bot configuration, researchers noticed more similarities between Cobian and njRAT.
The Cobian bot contains a keylogger and has access to screen capture, webcam, voice recorder, file browser, remote command shell, dynamic plugins and install/uninstall functions.
Amongst other supported commands are the ability to run executables or scripts from local disks or remote URLs, remote desktops, chat, password stealer and system manager.CobianRAT
“It is ironic to see that the second level operators, who are using this kit to spread malware and steal from the end user, are getting duped themselves by the original author. The original author is essentially using a crowdsourced model for building a mega Botnet that leverages the second level operators Botnet,” ressearchers conclude.
Zip Password : www.masterscyber.com