A free remote access trojan builder kit that was recently observed in various cybercrime forums secretly contains an injected backdoor module that allows the kit's authors to take over the malware later, unbeknownst to the attackers wielding it.
According to ThreatLabZ researchers from Zscaler, the malware, dubbed Cobian RAT, is distributed via traditional spam campaigns or compromised websites, and is capable of recruiting affected machines into a malicious botnet. Upon infection, the malware can also log key strokes, take screen captures, record audio and webcam video, execute shell commands, install and uninstall programs, use dynamic plug-ins, and manage files via a file browser.
However, at any time, the original authors of the RAT builder kit can attack the attackers (aka second-level operators) by commandeering these features as well as all infected systems, using them for their own gains. This is accomplished via the hidden backdoor module, which silently maintains communication with a Pastebin URL that serves as the kit authors' command-and-control infrastructure.
"It's ironic watching these second-level operators use the kit to propagate malware in order to steal from their victims when, in fact, they themselves are being duped into doing the dirty work for the original author," said Deepen Desai, Zscaler's senior director of security research, via a Thursday blog post.
Moreover, the original kit authors can even change the configuration file "to remove [the] second-level operator's C&C server and have the infected systems just communicate with the backdoor C&C server, taking second-level operators out of the loop," Desai informed SC Media in a separate interview.
Cobian, whose builder kit was first spotted in February 2017, seems to be derived from the source code of njRAT, another remote access trojan, Zscaler has reported. In its blog post, the company describes a recently observed Cobian RAT payload, which was served inside a .zip archive impersonating an Excel spreadsheet. This payload reportedly came from a Pakistan-based defense and telecom solution website that was potentially compromised.
To prevent their secret backdoor from being discovered, the builder kit's authors were clever to program the malware not to activate the module or reach out to their C&C server whenever the systems running the bot client and bot server share the same machine names and usernames. In such situations, the authors are assuming that the second-level operators may be testing the malware out on one of their own systems, Zscaler explains.