No Charge for RAT with Backdoor

Tuesday, September 5, 2017 @ 05:09 PM gHale

A remote access Trojan (RAT) kit also has a backdoor module, researchers said.

Cobian is the RAT and researchers found it in February this year.

Mobile RAT Malware on the Scene
Mac Malware-as-a-Service Products Found
Exploit Kit Details Discovered
Exploit Kit Learns Fingerprinting

The Cobian RAT control panel and features are similar to those of njRAT and H-Worm, said researchers at Zscaler.

Cobian RAT’s builder was on multiple underground forums, where the developer was offering it for free. Free? It appears the builder kit includes a backdoor module designed to retrieve command and control (C&C) information from a predetermined URL controlled by the original author, Zscaler reserchers said in a post.

Because of this, the malware developer gains control of the infected systems, while relying on other operators to build and spread the RAT. The backdoor module provides the original malware author with full control over the systems infected with Cobian RAT and also allows it to modify the C&C server information configured by the second-level operators, the researchers said.

Cobian also includes a series of detection evasion mechanisms, the researchers said. The backdoor module is not activated if the machine name and username of the infected system are the same, and no traffic will generate from the bot client to the backdoor C&C server in this case.

During one attack, the malware ended up dropped via a ZIP archive masquerading as a Microsoft Excel spreadsheet. The executable payload was signed with an invalid certificate pretending to be from VideoLAN and was packed using a .NET packer, featuring the encrypted Cobian RAT payload embedded in the resource section. The dropper also included anti-debugging checks.

Once installed on the compromised system, the bot attempts to create a mutex to ensure one instance of itself is running. It also creates a copy of itself as %TEMP%/svchost.exe, executes it and then terminates itself. To ensure persistence, the executed copy creates an autostart registry key.

Leave a Reply

You must be logged in to post a comment.