Cobalt Removal Guide

Do you know what Cobalt is?

Some infections cannot be missed. Others are capable of hiding and concealing themselves. The devious Cobalt, unfortunately, belongs to the latter group, and it could be active on your operating system right now without you suspecting a thing. Once it slithers in, you are not alerted about it in any way. Of course, there are subtle signs that could help you figure out that something is not right, but, unfortunately, most users are careless and inexperienced, which makes identifying and uncovering malware that more difficult. Our research team has thoroughly examined this threat, and we can help you understand it better. Of course, the purpose of this article is to help you delete Cobalt successfully, but it is also important to introduce you to this threat so that you could be more experienced and knowledgeable in the future. And if you are not sure that you must remove the Trojan, we can guarantee you right away that that is crucial.

You need to inspect your operating system immediately if you have recently opened a suspicious file named “Изменения в системе безопасности.doc Visa payWave.doc” sent to you by VISA. Of course, it is not VISA who has sent you this malicious file but rather cyber criminals. They conceal themselves as a reputable, well-known company just to trick you into opening the file without any hesitation. If you do that, you open up a backdoor for the Cobalt Trojan to slither in. That would not be possible if your Microsoft Office software was recently updated. Outdated software has a vulnerability (CVE-2017-11882) that is exploited to execute Javascript that subsequently downloads and executes a Powershell script, and that, eventually, is what loads the Trojan. Other misleading emails could be sent in the future, but, right now, you need to beware of emails in Russian that are allegedly sent by VISA to provide you with information about the payWave service. Remove such emails right away because it is enough to click on the malicious attachment once to unleash the Trojan.

According to the latest information, once the malicious spam email attachment file is opened, JavaScript is downloaded without the user’s notice. It is executed using the authentic Microsoft HTML Application Host file called “mshta.exe”. The PowerShell script is then executed to download another script from a different source. You can find it installed as %APPDATA%\{unique name}.ps1. This PowerShell script should contain Cobalt DLLs to execute the infection into memory. The DLL itself is not downloaded, and that is how the threat can avoid being detected and deleted before all malicious tasks are run. According to our research, Cobalt Trojan works as a backdoor, which means that anyone using it can flood the infected operating system with other kinds of malware. This malware could be used to steal data, corrupt or delete files, or even hijack the system to spread malicious infections. Needless to say, you want to remove Cobalt as soon as possible.

You can remove Cobalt using the instructions below, but if that is what you choose to do, we advise scanning the operating system as well because it is possible that you need to delete a bunch of other threats too. If you are determined to clean your system manually, be prepared for some challenging tasks. If you are not sure you have the right experience, install an anti-malware program to erase all existing infections for you. This is an ideal option because by installing this program you will also guarantee full-time protection thereafter. Besides doing that, you also want to update your Microsoft Office, as well as install all other available security updates because you do not want cyber criminals to exploit known vulnerabilities again.

Delete Cobalt

  1. Tap Win+E to launch Explorer and then enter %APPDATA% into the bar at the top.
  2. Delete the {unique name}.ps1 file responsible for the Trojan.
  3. Empty Recycle Bin and then immediately perform a full system scan to check if the system is clean.

In non-techie terms:

Cobalt is one of the most dangerous threats out there because once it slithers in, cyber criminals can do whatever they want. They can install other infections, as well as use your operating system to spread malware further. The malicious Trojan is spread using a known Microsoft Office vulnerability, and, if the infection is not yet on your system, you must install the latest security updates as soon as possible. You need to take care of that even if the Trojan was found on your PC. Even though you might be able to delete Cobalt manually, we recommend installing anti-malware software because you need full-time protection it can provide you with. Also, it is set up to automatically detect and remove all existing threats, and so it can help you greatly.