Free Cobian RAT Offered on Underground Hacking Forums Comes With a Backdoor

Share this…

A remote access trojan (RAT) offered as a free download on underground hacking forums comes with a secret backdoor that grants the original author access to all the victim data.

This new malware strain — advertised as Cobian RAT — has been offered for free to other crooks since February 2017, according to Deepen Desai, Senior Director of Research at cyber-security firm Zscaler.

Desai says the original author is offering a ” free builder” that allows other crooks to create their own version of the Cobian RAT with customized settings.

Others took this builder, created their customized Cobian RATs, and distributed the payloads, infecting other users.

Cobian RAT backdoored using Pastebin file

Unknown to the wannabe hackers who downloaded the RAT, these customized versions secretly connect to a Pastebin URL that is under the original author’s control from where they receive new commands.

“The [Pastebin file] corresponding to the builder variant that we analyzed has 4,055 unique visitor hits till now, indicating of number of systems infected,” Desai told Bleeping Computer in an email today.

These are systems to which two crooks have access. First, the hacker who distributed the customized Cobian RAT, and then the RAT’s original author.

Cobian RAT has bugs

The good news is that Cobian is not the smash hit other free RATs were in the past. For starters, not all the features work as intended.

“In our limited testing of the keylogger module, we observed some flakiness that it was not accurately capturing all the keystrokes when [a] user types […] a little fast,” Desai told Bleeping.

This is maybe why the RAT is not as popular, despite being offered for free for almost half a year. At the time of writing, researchers have rarely seen Cobian used in the wild.

“We haven’t seen any large scale campaign involving Cobian RAT,” Desai told Bleeping, “but [we] have been seeing a few isolated incidents where it was being delivered via a compromised website.”

Nonetheless, Cobian isn’t the epic failure you’d presume. If we ignore the backdoor and flaky keylogger component, Cobian isn’t far behind to what competitors are offering.

“The RAT contains all the standard features available in free/paid RATs. We have listed the full set of features in our blog,” Desai added.

Despite this, the discovery of the backdoor has killed any future Cobian development, as little users will be interested or risk downloading this tool now. Below is an infographic put together by Zscaler on Cobian’s modus operandi.

Cobian RAT infographic