Those looking on the dark web for malware capable of hijacking computers might have thought they were getting a bargain when a free trojan appeared on various online souks over the past few months.
The malware generator, dubbed the Cobian remote access trojan (RAT) by researchers at security shop Zscaler, is a fairly elemental bit of code and is based around the njRAT that surfaced around four years ago. It comes with all the usual bells and whistles – a keylogger, webcam hijacker, screen capturing and the ability to run your own code on an infected system.
But the Cobain RAT also has a secondary payload built in, hidden in an encrypted library. Once activated, it allows the original author of the malware to take control of any computers infected by the attack code and, if necessary, cut off the criminal who caused the infection in the first place.
"It is ironic to see that the second level operators, who are using this kit to spread malware and steal from the end user, are getting duped themselves by the original author," said Zscaler's advisory on Thursday. "The original author is essentially using a crowdsourced model for building a mega Botnet that leverages the second level operators' Botnet."
The secondary payload communicates with a preset page on Pastebin to get the current address of the command and control servers run by the original writer. But the malware checks first to see if the second level operator is online, in which case it keeps quiet to avoid detection.
It's likely the original author won't automatically cut off the second level operator for fear of alerting that person. Instead it's in the author's interests to encourage as many infections as possible and to run a massive botnet without the bother of distributing the malware necessary to build a zombie army.
It's a logical thing to do when you think about it, and the thought of all those lower-level malware operators doing the hard work for nothing won't exactly bring salt tears to our eyes. ®