Cobian Remote Access Trojan Has a Nasty Backdoor

Whenever cybercriminals offer free tools to the rest of the world, one always needs to be suspicious. The new Cobian Remote Access Trojan, for example, is provided free of charge on underground hacking forums. However, it comes with a backdoor that aims to provide the original developer access to all of the victim’s data. This is a very sneaky way of letting others do the dirty work. The Cobian RAT has been in circulation since February of this year, although it is unclear how much information has been collected so far.

The Cobian RAT is a Poisoned Apple

You should never look a gift horse in the mouth, though it wouldn’t hurt to conduct your own research anyway. This is especially true when someone tries to provide you with free software to conduct nefarious activities without asking for anything in return. Nothing in life is truly free. If the advertised tool is indeed as harmful as the developer claims, there is no real reason for him or her to share it with the rest of the world without asking money for it. The Cobian RAT is seemingly capable of letting others build their own malware with relative ease. Unfortunately, it also leaves something behind in all of those creations.

This “free malware builder’ allows other users to create their own versions of the Cobian RAT with custom settings. It is similar to how most ransomware-as-a-service toolkits operate. Once a criminal uses this free builder to develop his or her own malware, they can effectively distribute it to victims all over the world. The main objective is to steal and compromise data on target devices. Unfortunately for the people creating their own RATs, their newly-created malware also connects to a Pastebin URL under the control of the original developer.

Through this Pastebin URL, the developer can issue new commands to all RATs built on top of the original platform. So far, it seems over 4,000 systems have been infected with Cobian RAT types that are not the original code. Research seemingly indicates that two people have access to this Pastebin URL as of now. These individuals are the original Cobian developer and the person distributing the customized RAT. All of the collected data from victims’ computers are exposed to these two individuals as well. Indeed, these cybercriminals let others do their dirty work for them.

Luckily, it appears the Cobian RAT is not without its flaws. There are several bugs, and some features which just do not work whatsoever. That is pretty unusual for a malware focusing on logging information first and foremost. For one, any computer user who types above the average speed will be somewhat safe from harm. That’s because the keylogger is incapable of capturing all of the keystrokes correctly, which is not a positive sign for anyone looking to utilize this code. It may also explain why Cobian is offered for free.

Additionally, it appears there has not been too much interest in Cobian so far. Researchers have not noticed any of these versions in the wild other than a few individual infections related to this keylogger. When the malware was delivered successfully, it was distributed through a compromised website. Compromising websites and update servers has also become a popular way to distribute ransomware lately.

For all of its shortcomings, Cobian is still a threat to be reckoned with. It is not all that different from what its competitors provide to the masses, even though it has a few bugs and a backdoor. All of the standard malware features one would expect to find are present in Cobian. Now that the backdoor has been exposed, however, it is believed very few criminals will show any interest in Cobian moving forward. After all, no one wants to risk exposing data to other criminals.