WebCobra

WebCobra is a crypto-jacking Trojan that hijacks the PC for generating cryptocurrency. WebCobra differs from a cryptocurrency miner by not performing the mining processes, itself, and, instead, has a flexible payload for running different mining software in various environments. This Trojan can cause significant performance and hardware longevity issues indirectly, and the users should have their anti-malware products delete WebCobra and its associated miners on sight.

A Snake that's Loaded with Two Poison Kinds

With cryptocurrency general's value rising, it's natural for threat actors to express more interest in deploying campaigns that take advantage of the profit from generating it. WebCobra is one of the deployment methods that they might use: a crypto jacker Trojan that doesn't make currency, itself, but sets up another threat for doing so. Currently, malware experts are only seeing two notable variations in how WebCobra does so, which it chooses depending on the environment that it's infecting.

The setup stage for WebCobra opens a password-protected archive, a DLL file (related to the payload's obfuscation), and a BIN with the primary payload. Besides employing a series of traditional anti-analysis protections for keeping security researchers from examining it, WebCobra also identifies the environment as either x86 or x64. WebCobra uses completely different mining mechanisms for each version of the operating system:

• For x86 systems, WebCobra injects the code for the Cryptonight miner into a svchost.exe process, which runs automatically and uses the majority of the PC's CPU resources for creating cryptocurrency.
• For x64 ones, WebCobra downloads the Claymore Zcash miner from a C&C server and launches it remotely. WebCobra only drops this threat into the systems with specific graphics processing units, including Asus, Nvidia and Radeon brands.

In some cases, malware experts are confirming the WebCobra's limited capacity for self-uninstalling some of its dropping components for the sake of disguising the infection's presence on the PC, but victims shouldn't rely on such features for their computer's safety.

Tracing the Tracks of Serpentine Trojans

WebCobra's development team is likely of being Russian, but active attacks using it against the public aren't limiting themselves to that region of the world. Instead, malware analysts are verifying noteworthy infection rates throughout the United States, South Africa and Brazil. The infections are using Potentially Unwanted Programs (PUPs) with modified installation routines for dropping WebCobra, along with any other programs, such as toolbars, adware, gaming applications, or Web-browsing extensions. The user's best symptom for noting the attack is the long-term instability and performance problems that most cryptocurrency miners provoke.

In the long term, WebCobra infections could cause failures of the central processing unit and other hardware due to overusing them continuously. However, regarding its UI, WebCobra shows no windows or other, self-evident characteristics of its being an active program. Let your traditional anti-malware solutions isolate and remove WebCobra, along with any unwanted installed miners, as soon as possible.

WebCobra comes with two tactics of attacks for two kinds of PCs and shows off how the criminals don't need to be highly specific about who they're harming. The chances are good and no matter what kind of OS you're running, some threat actor is interested in exploiting it for money.