S0338 Cobian RAT
Cobian RAT is a backdoor, remote access tool that has been observed since 2016.1
| Item | Value |
|---|---|
| ID | S0338 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 29 January 2019 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.004 | DNS | Cobian RAT uses DNS for C2.1 |
| enterprise | T1123 | Audio Capture | Cobian RAT has a feature to perform voice recording on the victim’s machine.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Cobian RAT creates an autostart Registry key to ensure persistence.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Cobian RAT can launch a remote command shell interface for executing commands.1 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | Cobian RAT obfuscates communications with the C2 server using Base64 encoding.1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | Cobian RAT has a feature to perform keylogging on the victim’s machine.1 |
| enterprise | T1113 | Screen Capture | Cobian RAT has a feature to perform screen capture.1 |
| enterprise | T1125 | Video Capture | Cobian RAT has a feature to access the webcam on the victim’s machine.1 |