Cobian RAT – A backdoored RAT [source: zscaler]

The Zscaler ThreatLabZ research team has been monitoring a new remote access Trojan (RAT) family called Cobian RAT since February 2017. The RAT builder for this family was first advertised on multiple underground forums where cybercriminals often buy and sell exploit and malware kits. This RAT builder caught our attention as it was being offered for free and had lot of similarities to the njRAT/H-Worm family, which we analyzed in this report.

Crowdsourcing botnet model?

As we analyzed the builder, we noticed a particularly interesting function: the builder kit is injected with a backdoor module which retrieves C&C information from a predetermined URL (pastebin) that is controlled by the original author. This allows the original author to control the systems infected by the malware payloads that were generated using this backdoored builder kit.

For more, click here.

Share