CobInt Trojan

CobInt is a classic Trojan associated with the so-called Cobalt malware family. CobInt is capable of sneaking its way to individuals reportedly, as well as networked computer systems. The CobInt's infiltration usually goes unnoticed and affected users will likely remain clueless about the spying software working in the background on their machines unless they use a reputable AV service.

The vast majority of Trojans use a few common infection vectors typically, including but not limited to email and phishing tactics, software bundles, or Web scripts, to name a few. CobInt makes no exception. Apparently, the Trojan first came to prominence in August 2018 when security researchers identified a total of four spam email campaigns embedding CobInt in a corrupted MS document secretly.

The campaigns in question exploited a few MS-office related vulnerabilities listed on the Common Vulnerabilities and Exposures (CVE) database as follows:

• The Windows VBScript Remote Code Execution Vulnerability (CVE-2018-8174), which could potentially compromise the system memory, allowing an outsider to execute arbitrary code and even attain administrator’s rights to take a firm grip on the targeted PC;
• The Microsoft Office Remote Code Execution Vulnerability (CVE-2017-8570).
• The Microsoft Office Memory Corruption Vulnerability (CVE-2018-0802).
• Another Microsoft Office Memory Corruption Vulnerability (CVE-2017-11882).

The CobInt Trojan has developed a three-pronged approach to infection – delivery of the payload, execution of the payload from a remote server to start collecting personal user data, and the activation of various supplementary tools. The latter may tamper with the Windows Registry settings or even impede the System Restore.