Cobian RAT

Cobian RAT is a backdoor, remote access tool that has been observed since 2016.[1]

ID: S0338
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 29 January 2019
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1071 .004 Application Layer Protocol: DNS

Cobian RAT uses DNS for C2.[1]

Enterprise T1123 Audio Capture

Cobian RAT has a feature to perform voice recording on the victim’s machine.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Cobian RAT creates an autostart Registry key to ensure persistence.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Cobian RAT can launch a remote command shell interface for executing commands.[1]

Enterprise T1132 .001 Data Encoding: Standard Encoding

Cobian RAT obfuscates communications with the C2 server using Base64 encoding.[1]

Enterprise T1056 .001 Input Capture: Keylogging

Cobian RAT has a feature to perform keylogging on the victim’s machine.[1]

Enterprise T1113 Screen Capture

Cobian RAT has a feature to perform screen capture.[1]

Enterprise T1125 Video Capture

Cobian RAT has a feature to access the webcam on the victim’s machine.[1]

References