CyberWire Daily - Cobian RAT: Zscaler’s Deepen Desai describes some clever malware. [Research Saturday]
Episode Date: September 16, 2017Deepen Desai, senior director of security research and operations at Zscaler, describes research he and his team have been doing since discovered a clever bit of malware they’ve named Cobian RAT. (R...AT stands for Remote Access Trojan.) It’s available for free, but contains a back door that allows the original author to access and control the RAT remotely. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
So remote access Trojan is a piece of malware that will allow an attacker full control,
like a remote control of the system on which it's installed.
That's Deepan Desai, Senior Director of Security Research and Operations at Zscaler.
He and his team have been analyzing a clever bit of malware they've named Cobian Rat.
There are many popular rats out there like NJ Rat.
HWARM is another variant.
What it allows the attacker to do is things like, you know, monitor your webcam,
take a recording of the audio from the surrounding using the microphone.
The attacker can actually view all the system files,
download, upload files, execute anything he wants.
So that's basically a quick nutshell of what a RAT is capable of doing.
And so take us through what initially tipped you off about this new RAT.
So initially we thought this is just yet another RAT which was spawned off from the leaked NJ rat code.
We saw the post in February 2017.
What was happening over there was the original author was offering a builder kit for a Cobian rat for free.
And this is not, I mean, it's not unusual.
There are cases where someone's doing data and encouraging people to test it out.
So we just took it as yet another free rat.
But once we started seeing some in the wild payloads for this family, it caught our attention.
We saw that it's no longer just something that's in testing.
There are actually samples out there.
We saw certain samples hit our cloud sandbox as well. And that's when we started analyzing not
just samples, but also the original builder kit using which those samples were generated.
Once we started seeing a lot of malicious samples, and we've seen like 100 unique samples for this family till now.
We started analyzing the builder kit, basically reversed the code behind it.
And we observed that the builder kit had a backdoor integrated by the original author.
The way it works is, I mean, you could call it a pyramid scheme as well,
but there's just three layers.
So there's this original author who constructed this builder kit.
The builder kit is then circulated using underground forums.
And then the second level operators, malware operators, who fall for that,
will take that kit, generate their own malware payload,
configure it to talk to their own controlled CNC server.
They will then leverage things like email spam, botnets, exploit kits to circulate those payload to end users.
So each of those second level operators are forming their own botnet for their own financial purposes. They're making gains through stealing credentials.
They're making gains through installing other malware families.
Everyone has their own agenda. But what's happening over here is
the CNC server that's sitting at the second level operator
is secretly calling back to a paste
bin URL that the original author configured.
And that's where it gets a new command and
control server, which is the backdoor CNC server that allows the attacker, the original guy,
to communicate with all the victim machines, right? So he basically has access to all the
botnets that are formed by the second level operators using his builder kit.
all the botnets that are formed by the second level operators using his builder kit.
And so the people who took advantage of this free offer,
obviously they did not know they were having a backdoor along with the software that they were getting.
So take us through, what do we think is the motivation behind the person who put the backdoor in?
What is their gain? Is it merely just to have a sort of a larger network with other people doing the work for them?
Yeah, it's basically like a crowdsource model, except that the people who are doing the job,
a dirty job, don't know that they're doing it for someone else, right? Another good point that you raised was the original guy, he actually added a evasion technique. So what he
did was when the second level operator opens the builder kit on a machine and runs a test payload
on the same machine, the backdoor module will not be activated. So he's trying to make sure that the
second level guys don't find out that there is a backdoor inside the builder kit.
But if the malware payload runs on a different machine, in that case, the backdoor module will get activated.
That's how he's trying to ensure that the second level guys don't find out that there is a backdoor module.
They do all the dirty work.
And then the first, I mean, the original guy can then communicate with all the infected hosts using that channel.
Now, with the second-level people who've gone and installed these rats around the world,
would they be aware that something was going on behind the scenes?
Does the backdoor run invisibly, or would they notice any degradation of the system running for their purposes? I mean a smart adversary would be able to find out because there
is some level of network activity that's happening but it is less likely I mean
otherwise we wouldn't be seeing so many new payloads which are built using the
backdoor builder kit.
I see. So tell us about what you're seeing in the wild with this.
So in the wild, we saw one of the signed payload, which was pretending to be an Excel document.
And it was signed using a fake certificate belonging to Videoland. They're known for the VLC media player.
Again, it's pretty standard. The executable pretends to be a document. It's packed using a.NET packer. It contains the Cobian RAT, which is embedded inside the resource section.
There are a series of anti-debugging checks that happens on the victim machine before the actual RAD is installed.
So what are the features that are included in this particular bot?
Right. So this RAD, like many other popular RADs, will have features such as keylogger,
screen capture, webcam access, voice recorder, file browser. It allows the attacker to even run remote commands.
And then one interesting feature that we saw, which is also seen in some of the recent RADs,
but only in the newer RADs, was ability to install dynamic plugins. So the attacker could
actually add a new feature and the RAD will just dynamically pull it from the CNC server and execute that.
I see. And have you seen any examples of what sorts of functionality would be enabled by plugins?
We didn't see in the case that we were using. It could be just a test feature for now, but I mean, it will work.
We analyze the function that is responsible for executing
the plugin and it's fully functional. I see. So take us through what happens in terms of the
command and control activity. So there are, just like I mentioned, there are like two command and
control activities that are taking place. One that's for the backdoor, which is taking place from the builder kit
to the attacker-controlled CNC server.
The CNC servers in both cases
are leveraging dynamic DNS domains.
So the one that we included in our blog
was suez111.ddns.net.
So these are like throwaway domains and they will keep switching those domains very frequently
so that a URL or a domain-based block list will not be effective in flagging the CNC communication.
The first beaconing that will happen after a successful infection. We'll include things like username, system name,
operating system that's running, what kind of antivirus is installed, whether there is a webcam
enabled or not, and name of the process using which the rat is operational on the system.
And so what ways does the rat try to protect itself from things like antivirus?
So the malware author is using a.NET cryptor, which will package the file and make it highly
obfuscated as well, which will make it very difficult for AV vendors to catch it.
And once installed, I mean, the attacker has the ability to disable AV processes and stay
hidden. So what is your recommendation in terms of people protecting themselves against this sort of
rat? Recommendations are standard, honestly, in this case. If you, attachments arriving to you where the sender is not known, you should not open it.
Don't blindly trust it. I would also recommend, you know, defense in depth strategy. You need
multiple layers inspecting all the payloads that are arriving to you. Any payload that arrives from
the internet needs to be scanned using multiple layers of security that are able to
talk with each other, right? So I'll give some examples that most enterprise networks will have
as part of their security stack. So sandbox is one, right? Then there is deep packet inspection.
You need to scan the content that's coming in. You need to sandbox the payloads
that are getting into your network.
And then the third most important one,
which unfortunately is not very widely deployed,
is SSL inspection.
So if the payload is getting delivered to you
using, say, something like Dropbox, right,
or any of the media sharing sites over SSL, then you're basically blind to it.
And then you're relying on your end user to make the smart decision. Again, I'm going to summarize
it. Defense in depth, you need multiple layers that are capable of talking with each other. So
if a sandbox flags a payload, the deep packet inspection needs to start blocking the subsequent
download attempts. You need user education, things that should not be clicked, opened,
and then strict operating system level controls where you are not allowing all end users the
ability to execute unknown applications.
Is there any sense that now that the word is out that this Kobean rat contains a backdoor?
Is there any sense in the forums on which this was being distributed that word is out?
And has it got a bad reputation?
We're actually looking.
We're actually monitoring that.
We haven't seen any update on that.
The thing that we were a little disappointed was we also reached out to Pastebin.
And the RAD author has an active account over there that he's using to distribute CNC server information.
That's still active.
I mean, are there any, I'm thinking of behavioral detection.
If I have this running on my system,
are the usual things that will look for strange data leaving my system,
looking for strange uses of the camera, the microphone, and so forth,
are they going to nab this sort of thing?
Yeah, having a good heuristic detection,
things like looking at the process tree.
But again, just relying on something
that's sitting on the host where this rat is running,
I would say that's a hit or miss situation.
So you should have something sitting on the network
that is also inspecting the traffic going back and forth from the compromise system.
I think, you know, there's sort of, as you all point out in your report, that there's sort of a delicious irony that these folks who are looking to distribute these rats are themselves being the victims of someone else who's up to no good.
Yeah, exactly. It is definitely an irony that we're seeing the second level guys being duped
by the first level guy and they're doing all the dirty work and they don't even know that
they're doing it for someone else. Our thanks to Deepan Desai from Zscaler for joining us.
You can find their complete report on the Cobian Rat on Zscaler's website.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach
can keep your company safe and compliant.
The Cyber Wire Research Saturday is proudly produced in Maryland
out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilby, and I'm Dave Bittner.
Thanks for listening.