Malware Developers Tricked Operators to do the Dirty Work

Wannabe cyber criminals are now able to easily procure malware from the dark web marketplaces. It has become quite easy nowadays. And cyber criminals don’t seem to need the technical expertise of malware code writers. Accessing through a Tor browser and loaded with some Bitcoins is enough to contact the malware providers. Malware creators are also offering malware in the same manner as software-as-a-service. Lately, cyber criminals have been subscribing to such services and using them to unleash attacks. However, it seems that the providers have actually been providing the software tools on a leash. They always seem to have had control of the malware.

Wannabe cyber criminals usually purchase keyloggers, screen capturing tools, webcam control tools, botnets and remote code execution software for their endeavors. The developers of the malware provide these with a catch – they would impregnate an extra piece of code that provides master control over the malware tool. Hence, when the wannabe successfully builds up a bot net network the ultimate control will be retained by the provider/creator.

Backdoored Remote Access Trojan

This malware with inbuilt control code has been named as “Cobian” by its discoverers. It is a remote access Trojan (RAT) – more specifically a backdoored RAT – that featured the theme of the njRAT. The builder of this code is offering this for free on underground forums which do raise some suspicion.

When the wannabe distributes the RAT payloads through emails to build the botnet, the hidden code draws command and control (C&C) information. Systems successfully infected by the wannabe communicates with a C&C server in control of the wannabe; However, the ultimate control rests with a C&C server controlled by the Cobian developer.

The malware developer expects the wannabe to do the hard work – build the RAT payload and then attempt spreading of the infections through spam emails, drive by downloads, etc…, Once the botnet has been developed, the developer can take over control of the all the systems on the bot net, and can even change the C&C server.

Subterfuge Among Cyber Criminals

The Cobian developers have provided an intelligent hiding mechanism for the code. In case the wannabe suspects and checks for any “extra code”, the hidden code stays dormant and would not execute itself. This feature is based on the surmise that the wannabe does the testing on a single system that acts as both server and client. The “extra code” goes into play only when the wannabe’s server interacts with a victim’s system (client).

This is an intelligent case of “wannabe’s” being “had”. However, the code and tool are quite good enough to fool even moderately skilled hackers.

Lesson for Wannabes

Free Malware code may have catches. You should ask the question: “Why is it free?”. Being a cyber criminal is a crime, and if you are OK to be “Used” then go ahead. However, the complex code would also be monitoring your system activities, and all your data is at risk. You should ponder: “May be it’s better to refrain from being a cyber criminal”.