Would-be cyberattackers caught by malware with a sting in the tail

We all know that the dark web has marketplaces that sell malware to potential cyberattackers who would rather pay Bitcoin than spend time developing their own malware. So if you have Tor configured for access to the dark web and some money in a Bitcoin wallet, conducting malware attacks is easier than ever before. Why should an attacker bother learning how to code in the first place?

Well, sometimes convenience comes at a price – one that cannot be converted to any fiat currency or cryptocurrency.

The Trojan smells like a RAT. Zscaler ThreatLabZ, who discovered it, has named it Cobian. It’s based on njRAT, which originally surfaced around 2013. It has the features that people who buy malware on the dark web want; a keylogger, webcam control, remote code execution, and screen capturing.

But there’s more: unbeknown to customers, it also contains an encrypted library which has code that grants master control to Cobian’s developer. So while Cobian buyers get excited about acquiring their own botnet, Cobian’s author gets ultimate control of all of those botnets: it’s botnet acquisition as a sleazy pyramid marketing scheme. The researcher who discovered it said:

Cobian RAT appears to be yet another RAT that is spawned from the leaked njRAT code. It is ironic to see that the second-level operators, who are using this kit to spread malware and steal from the end user, are getting duped themselves by the original author.

Cobian’s executable payload disguises itself as a Microsoft Excel file. Cobian’s secondary payload then checks to see if the second-level operator is online. If so, then the code that enables the author to acquire master control operates to evade detection. If the second-level operator is offline, the secondary payload acquires the address of the author’s command and control servers from Pastebin. The researchers say:

During our analysis, we observed that when the machine name and username of the systems running the Cobian RAT payload and the control server are the same, the backdoor module will not be activated and no communication will be sent to the backdoor command and control server.

The original author of the RAT builder is assuming that there will be some testing performed by the second-level operators and that they will mostly likely use the same system for both bot client and server applications. To hide the presence of the backdoor module, there will be no traffic generated from the bot client to the backdoor command and control server in this case.

People who buy Cobian might think they’re clever, but the joke’s on them.  And this isn’t the first time we’ve reported on RAT authors exploiting the people who buy their malware – and all we’ll say is: caveat emptor; buyer beware.