A scam within a scam: New malware dupes crooks with unexpected backdoor

A few naive criminals thought they were downloading a good old fashioned remote access trojan. Not so.

Meet the extraordinarily duplicitous Cobian RAT.

The remote access trojan debuted this year on numerous dark web black-market forums, where it was shared among users without a price tag. The no-cost RAT caught the eye of many would-be hackers who downloaded the malware unaware that Cobian is, according to new research, backdoored so that the original author controls everything no matter what the second-level malware operator does.

The findings help shed light on a specially tailored hacking campaign aimed at cybercriminals. Cybersecurity firm Zscaler published research Thursday outlining the scheme.

“User systems compromised by the malicious payload initially communicate with the [command and control] server configured by the second-level operator, but they get subsequent instructions to communicate with the original author’s [command and control],” the researcher’s wrote. “The original author is able to take full control of compromised systems, and, if he wishes, cut off all communications to the second-level malware operator.”


Cobian appears to be built on the leaked source code of the njRAT, a four-year old remote access trojan made by Arab-speaking cybercriminals and most commonly spotted in the Middle East. It’s a popular if infamous family of malware that not only persists around the world but continues to be “very active,” according to 2016 research.

There are a lot of similarities between njRAT and Cobian from the control panel and features to the code itself. The source code from njRAT is publicly available and has given rise to multiple offspring. The unknown author of Cobian took advantage of the free and widely liked code in order to hoodwink a few hackers.

The original author allows for the unsuspecting hacker, the second-level malware operators, to download and spread Cobian infections through vectors like phishing. Then the original author can take control of machines compromised by the hacker as if they had done the work themself.

“It’s ironic watching these second-level operators use the kit to propagate malware in order to steal from their victims, when, in fact, they themselves are being duped into doing the dirty work for the original author,” Zscaler researcher Seepen Desai explained. “The original author is essentially using a crowdsourced model for building a mega Botnet that leverages the second level operators Botnet.”

So much for honor among black hats.

Latest Podcasts