Darkcomet Rat Legacy 5.4.1.f
Traful Stakelbeck
While doing some additional research on DarkComet, I came across an interesting comment on Malwarebytes Unpacked. A smartass was advertising the DarkComet RAT 6 Legacy. Knowing that 5.4.1 is the last version I decided to check that download out.
The DarkComet-RAT-6 legacy.exe file has a ZIP icon and the file Properties show that this is a SFX ZIP archive (A self-extracting ZIP archive in other words). The size of the SFX module size is 659,092 bytes.
The purpose of a self-extracting archive is to automatically extract the content of the archive. The downside running of self-extracting archives from unknown sources is that they may pose a security risk. An executable file described as a SEA could actually be a malicious program.
The normal size of the legit SFX module is 156,672 bytes, in the DarkComet-RAT-6 legacy.exe the size is 659,092 bytes, pretty much the size of keygen active.exe. Not to mention that both files have the same properties.
Over the past two months there seems to be an increase in Macro Viruses. Microsoft Office Programs have always been among the most vulnerable targets since the very first Macro Virus WordMacro/DMV appeared 20 years ago.WordMacro/DMV was the...
While sometimes cracked software turns out to be totally innocent in despite of the antivirus results, other patches and cracks used to avoid buying a license for the program will put your personal information and computer at high risk.Today...
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur (known as DarkCoderSc[2]), an independent programmer and computer security coder from France. Although the RAT was developed back in 2008, it began to proliferate at the start of 2012. The program was discontinued, partially due to its use in the Syrian civil war to monitor activists but also due to its author's fear of being arrested for unnamed reasons.[1] As of August 2018, the program's development "has ceased indefinitely", and downloads are no longer offered on its official website.[3]
DarkComet allows a user to control the system with a graphical user interface. It has many features which allows a user to use it as administrative remote help tool; however, DarkComet has many features which can be used maliciously. DarkComet is commonly used to spy on the victims by taking screen captures, key-logging, or password stealing.
In 2014 DarkComet was linked to the Syrian conflict. People in Syria began using secure connections to bypass the government's censorship and the surveillance of the internet. This caused the Syrian Government to resort to using RATs to spy on its civilians. Many believe that this is what caused the arrests of many activists within Syria.[1]
The RAT was distributed via a "booby-trapped Skype chat message" which consisted of a message with a Facebook icon which was actually an executable file that was designed to install DarkComet.[4] Once infected, the victim's machine would try to send the message to other people with the same booby-trapped Skype chat message.
In the wake of the January 7, 2015, attack on the Charlie Hebdo magazine in Paris, hackers used the "#JeSuisCharlie" slogan to trick people into downloading DarkComet. DarkComet was disguised as a picture of a newborn baby whose wristband read "Je suis Charlie." Once the picture was downloaded, the users became compromised.[6] Hackers took advantage of the disaster to compromise as many systems as possible. DarkComet was spotted within 24 hours of the attack.
DarkComet, like many other RATs, uses a reverse-socket architecture. The uninfected computer with a GUI enabling control of infected ones is the client, while the infected systems (without a GUI) are servers.[7]
When DarkComet executes, the server connects to the client and allows the client to control and monitor the server. At this point the client can use any of the features which the GUI contains. A socket is opened on the server and waits to receive packets from the controller, and executes the commands when received. In some cases, the malware may use system utilities to evade detection and gain persistence. For example, it can employ the T1564.001 technique by starting attrib.exe through cmd.exe to hide the main executable.
The following list of features is not exhaustive but are the critical ones that make DarkComet a dangerous tool. Many of these features can be used to completely take over a system and allows the client full access when granted via UAC.
DarkComet is a widely known piece of malware. If a user installs an antivirus, or a darkcomet remover, they can un-infect their computer quickly. Its target machines are typically anything from Windows XP, all the way up to Windows 10.
When a computer is infected, it tries to create a connection via socket to the controllers computer. Once the connection has been established the infected computer listens for commands from the controller, if the controller sends out a command, the infected computer receives it, and executes whatever function is sent.
This post is the first in a new series titled Examining the Cybercrime Underground. Each post will delve into different aspects of how cybercriminals operate, using current examples of tools and techniques. What are their tools of the trade? How do they get them? How do they overcome challenges posed by security and anti-fraud systems? How do criminals profit from scams and turn stolen data into cash? Answering these questions will help readers better understand one of their primary cyberadversaries and use that knowledge to better protect their networks.
Knowing this, let's look at a common attack scenario used by cybercriminals. Cybercriminals often use Remote Administration Tools (RAT) to steal online banking credentials, credit card numbers, personal data, or other valuable pieces of information. One of the oldest and and most widely used RAT is DarkComet. This tool lets criminals perform a variety of functions including:
This person mentioned that in the past he worked for Cheetah Mobile (the number two Internet and mobile security company in China which is not related to this crypter in any way). But we can assume the developer's security knowledge and experience was to develop this crypter.
In another attack, the attacker sent the spear phishing mail under a stolen identity, "GPS Trading" company founder and CEO, Mr. Panos Dimitriadis. The attachment name is Quotation_inquiry.scr (also sent to import[at]gpstrading.com).
The SFX contains a lot of junk commands (for bypassing legacy security solutions) but in the in the middle it hides the command to auto-execute dmpbr.exe with parameter dhwdv.gko. This is one of the files in the SFX.
We successfully de-obfuscated the final script. For example, all strings internal AutoIt functions and Windows API functions used by the crypter are obfuscated with a simple but working algorithm (reverse hex bytes and decode them to ASCII strings).
Decrypt DarkComet with RC2 decryption algorithm in memory, check the registry for the default browser, creates browser process suspended, write DarkComet to verified signed browser process, uses setThreadContext to change the execution flow to the injected code and resume the process and delete itself.
We suspect we found a bug in the anti-emulator code. It works by opening mshta.exe seven times and killing it and then loops until those processes are killed, but it is unclear why the author assumes that will protect him from emulators.
The goal of a spear phishing attack is to gain access to sensitive information such as credentials or compromise valuable data. This can be done purely through solicitation or through further methods of compromise such as embedding malware into a targeted system.
Whaling is a heavily targeted phishing attack in which an attacker attempts to phish a high ranking official, often chief executives. These social engineering cyber-attacks contain information that is highly personalized to the intended target to encourage them to click a link that will download malware, transfer funds to the attacker, or share details that can facilitate further attacks. The effects of a successful whaling attack can be devastating, including data loss, financial loss, and reputational damage.
Security Awareness Training: Organizations should implement security awareness training to keep their employees up to date on the best practices to avoid cyber risk. This involves educating users on how to recognize and avoid phishing attacks, how to create strong passwords, know what information is safe to share with people outside the company, and other practices.
Advanced email solutions: Traditional legacy systems are not adept for fighting against spear fishing attacks because these attacks use social engineering and other techniques (further spoofed domains in their links, hidden macros in legitimate-looking attachments, and an ongoing chain of communication to build association). These are unlikely to be registered as malicious by the rules and signatures of a legacy gateway. To fight back efficiently and successfully against spear phishing attacks, organizations should consider implementing advanced email security solutions.
Through its unique understanding of you, rather than knowledge of past attacks, Darktrace/Email stops the most sophisticated and evolving email security risks like generative Al attacks, BEC, account takeover, human error, and ransomware.
AI can also use real-time data to identify and respond to threats quickly, minimizing the potential damage and saving time for security teams who usually have to parse through a high number of flagged emails.
One of the key benefits of integrated cloud email security and AI email security is that it can detect threats that may go unnoticed by traditional security systems, which often rely on pre-defined rules and patterns to identify threats. With AI, email security can continuously learn and adapt, providing more comprehensive protection against previously unknown email-based attacks.
b1e95dc632