Home > Cyber News > Cobian Trojan Detected in Ongoing Hacker Attacks

Cobian Trojan Detected in Ongoing Hacker Attacks

Cobian Trojan image

Security researchers uncovered the Cobian Trojan which is an advanced computer virus capable of infiltrating whole computer networks. It appears that it is being spread in a series of hacker attacks attempting to compromise machines worldwide.

Cobian Trojan Delivered in Series of Attacks

An advanced computer virus called the Cobian Trojan has been spotted in a worldwide hacker attack. The security experts that have announced the discovery note that it is very similar to a worm family that has been active since 2013. It is likely that some of the code base is shared with this older threat making the Trojan a somewhat easier target to analyze.

During the investigation it was revealed that the Cobian virus code is being offered on several underground hacker markets for free. This is probably the reason why it has gained popularity among several criminal groups. An interesting design is the fact that the builder kit itself contains a backdoor module that retrieves the information about the C&C host from a predefined address. This effectively means that the attacks are carried out in a several tier sequence:

  • The hackers that are controlling the Cobian Trojan attempt to infiltrate the targets using different methods ‒ vulnerability testing, payload insertion, social engineering and others. The goal is to break through the security of the users systems, implant and activate the malware code.
  • Once the infection have been reported the internal virus module reports the infection to the C&C servers operated by the Cobian Trojan developer and not the hacker operatives.
  • The virus reports to the hacker operators that the machine has been contaminated.

In essence this allows a sense of privacy protection for the hacker operators as they do not need to create their own network infrastructure. This tactic can be used to divert the attention from the criminal operators to the original Trojan developer.

NOTE: It is also possible for the Trojan developer to completely take over the hacker operations from the attackers themselves.

As a consequence of one such attack the victim computers and data may be in the hands of two completely different entities ‒ the original hackers or the group or individual behind the code itself.

Related Story: The Many Faces of the Jimmy Nukebot Trojan

Cobian Trojan Mechanism of Intrusion

The Cobian Trojan can spread to victim computers via various ways. One of the most popular tactics is to use social engineering tricks and attempt to confuse the victims into infecting themselves with the Cobian virus samples. This is usually done by sending out email messages containing links or attachments containing the dangerous files. The emails themselves pose as being sent by companies, government institutions or organizations. The files themselves may be disguised as documents, letters or other attachments that may be of interest to the recipients. Advanced strains can be inserted as scripts in contaminated documents or software installers.

  • Contaminated Documents ‒ The Cobian Trojan is installed onto the victim machines using scripts that are embedded in popular document formats. Usually this includes spreadsheets, rich text documents and databases.
  • Infected Software Installers ‒ The hacker operators take legitimate download installers from vendors of popular free or trial applications and create bundles that are then distributed on fake download sites. Depending on the configuration the users may be able to evade an infection by unchecking certain checkboxes or options during the installation process if the virus sample is set up as an optional component.

The hacker operators can also create fake download portals where they can distribute the virus strains using the infected software bundles or other payload containers. Redirects and dangerous ads can redirect to such sites that often use images and text that mimics the legitimate sites.

Browser hijackers are another useful tool used by the hackers to spread the Cobian Trojan. They are malicious browser extensions that are usually made for the most popular software: Mozilla Firefox, Google Chrome, Internet Explorer, Opera, Safari and Microsoft Edge. Once installed they redirect the victims to a hacker-controlled page (usually a fake download page or search engine) that contains a multitude of malware. The users will also find that important configuration is changed by the malware: default home page, new tabs page and search engine. In addition the majority of the browser hijacker also invade the privacy of the victims by sending the following private data of the victims: bookmarks, history, passwords, form data, account credentials and settings.

Collected samples associated with the ongoing attacks have been associated with infected Microsoft Excel spreadsheets. They are signed with a fake digital certificate that pretends to be issued by the VideoLAN team, developers of the popular VLC media player. Once the victims interact with the file it is unpacked and decrypted on the local machine. Depending on the configuration issued by the hackers the virus may execute a predefined sequence. Otherwise it follows the standard procedures as defined by the developer.

Cobian Trojan image

Capabilities of the Cobian Trojan

Once the Cobian virus has infiltrated a computer it starts to to run a series of commands that seek to modify the system in a way that makes it possible for the virus to gain a persistent state of execution. This effectively prevents manual user removal.

Effectively Removal of advanced threats like this one can only be done using a professional-grade anti-spyware tool.

The Cobian Trojan is able to institute a powerful keylogger module that can retrieve keystrokes and all mouse movements. Such techniques allow the criminals to harvest user credentials in a very efficient and covert way. In addition the Cobian virus can initiate arbitrary screenshots generation which is useful when the users login into certain online banking services.

Surveillance is instituted as the criminals can enable webcam and voice recording at will. This is done in order to gather personal information, gain insight into the users habits and learn about their environment. The collected information on the victims can then be sold on various hacker underground markets.

If any valuable information is suspected then the hackers can download files using a secure connection. The Cobian Trojan core can be updated using dynamic plugins that can be loaded by the operators. Another important feature that is found on advanced strains is a killswitch ‒ a command that allows the Cobian Trojan to be removed completely from the systems to avoid detection.

Cobian is rated as an extremely dangerous virus that can only be removed using a quality anti-spyware utility. We recommend that you scan your system with a trusted solution that is able to both protect you from incoming attacks and remove found infections using a few mouse clicks.


Malware Removal Tool

Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share