Monday, November 4, 2024
HomeBackdoorFree Remote Access Trojan builder "Cobian RAT" Distributed a Backdoor

Free Remote Access Trojan builder “Cobian RAT” Distributed a Backdoor

Published on

Malware protection
A Free Remote Access Trojan Builder called “Cobian RAT” Distributed with embedded Backdoor and it it was being offered for free and had a lot of similarities to the njRAT/H-Worm family.

This RAT was Distributing and advertising via some Secret and Darkweb Forums where cyber criminal selling and Buying advance Hacking tools.

This RAT has many similar activities same as njRAT/H-Worm family which is offering for free of cost.

This Backdoored RAT contains Many Advance Futures such as Keylogger, screen capture, webcam, voice Recorder, File Browser, Remote Command Shell and install/uninstall Future.

- Advertisement - SIEM as a Service
Also Read:   AndroidRat-TheFatRat to Hack and Gain access to Targeted Android Phone

How Does Cobian RAT Works

Initially, Cabian RAT Distributing through online Forums that contains hidden Backdoor that is controlling by the Original Author.

Next Level, RAT Payloads are generated by Builder Kits that is Distributing via Traditional Methods such as Email and Compromised Websites.

RAT

 Cobian RAT command-and-control server application

Here Pastebin URL used by the Malware author that helps to Pull the information from the Author.

Later, User systems Compromised by the Malicious payload and information will send to the Malware author’s Command & Control Server.

This allows the original author to control the systems infected by the malware payloads that were generated using this backdoored builder kit.

In this case, Malware Author can able to take the full control of the systems that was compromised by the  Cobian RAT botnets.

According to Zscaler Analysis, Cobian RAT spreding Via Microsoft Excel spreadsheet using an embedded icon and executable payload was served inside a ZIP archive.

“The executable file is packed using a .NET packer with the encrypted Cobian RAT payload embedded in the resource section. There is a series of anti-debugging checks performed by this dropper payload before decrypting the RAT and installing it on the victim’s system.”

This same RAT used to Compromise the Zscalar Cloud Sandbox from a Pakistan-based defense and telecommunication solution website.

During Zscaler analysis, we observed that when the machine name and username of the systems running the Cobian RAT payload (bot client) and the control server (bot C&C server) are the same, the backdoor module will not be activated and no communication will be sent to the backdoor C&C server.

Second Level Operator using both bot client and server applications in the same system that will lead to hiding the Payload and there will be no traffic generated from the bot client to the backdoor C&C server in this case.Zscaler Said.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...

Sophisticated Phishing Attack Targeting Ukraine Military Sectors

The Ukrainian Cyber Emergency Response Team discovered a targeted phishing campaign launched by UAC-0215...

Chinese Hackers Attacking Microsoft Customers With Sophisticated Password Spray Attacks

Researchers have identified a network of compromised devices, CovertNetwork-1658, used by Chinese threat actors...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Researchers Backdoored Azure Automation Account Packages And Runtime Environments

Runtime environments offer a flexible way to customize Automation Account Runbooks with specific packages....

Hackers Using Supershell Malware To Attack Linux SSH Servers

Researchers identified an attack campaign targeting poorly secured Linux SSH servers, where the attack...

UNC2970 Hackers Attacking Job Seekers Using Weaponized PDF Reader

UNC2970, a North Korean cyber espionage group, used customized SumatraPDF trojans to deliver MISTPEN...