CobInt Trojan

The CobInt Trojan is a generic cyber-threat that shares many similarities with programs like Infostealer.Gampass and Infostealer.Serposteal. The CobInt Trojan is dropped to computers via phishing emails that may look like job applications, notifications from banks and delivery reports from online stores. Software vulnerabilities in the Microsoft Office package (CVE-2018-0802, CVE-2017-11882, and CVE-2017-8570) allow threat actors to use corrupted text files and install their malware on targeted machines.

The CobInt Trojan is developed by a known advanced persistent threat (APT group) called 'Cobalt.' The 'Cobalt' group of hackers is being tracked by many AV developers because the group fills the niche of information collection on the malware landscape. The CobInt Trojan is one of their recent creations that is designed to evade AV scanners, collect personally identifiable information, online logins and eventually drop other malware on infected machines. The CobInt Trojan is programmed to extract the user logins from Chromium-based Internet clients (like Google Chrome, Torchlight, Yandex Browser, SRWare Iron), Mozilla Firefox, email managers like Thunderbird and instant messaging applications like Skype. The malware can gather IM messages and sent and received email bodies. Also, CobInt may enable threat actors to access the compromised host, run programs, terminate running processes and download files from a remote server.

The CobInt Trojan may be disguised as a legitimate Windows service and remain undetected on Windows for an extended period. The CobInt Trojan can be executed with a delayed start and boot a few minutes after Windows has loaded to minimize the risk of being detected by AV tools. The CobInt Trojan can upload personal notes, login credentials and images stored on the local disk. The CobInt Trojan may install a keylogger module to record your input on Web pages of interest. It is recommended to remove the CobInt Trojan using help from a reputable anti-malware developer.