DarkComet, a stealthy Remote Access Trojan, silently infiltrates systems, stealing sensitive data like credentials and passwords. It also acts as a backdoor, enabling attackers to install malware and control infected machines for malicious activities.
DarkComet is a Remote Access Trojan (RAT) created in 2008 by Jean-Pierre Lesueur. The malware can disable antivirus programs, install additional malicious software, or recruit infected machines into botnets for further attacks. Symptoms of infection are often hidden from the user.
Technical Analysis
It’s user-friendly interface contributed to its widespread use, which disables security measures to remain undetected and is often distributed through bundled software, disguised emails, or website vulnerabilities.
Malicious domain displayed inside the sandbox
By utilizing multiple techniques, it evades detection and establishes remote control, as analysis reveals the malware modifies file attributes using the “attrib” command, potentially marking itself as a system file (hidden and critical) and hiding dropped executables in non-obvious locations (e.g., C:\Users\admin\Documents\MSDCSC\msdcsc.exe).
It also interacts with Windows APIs to manipulate process privileges, potentially elevating its access and control over the infected system, which allows communication with a predefined malicious domain for remote control and data exfiltration.
Modification of process privileges
A Remote Access Trojan (RAT) gathers detailed system information using the GetCurrentHwProfileA API to identify hardware and docking status and also retrieves the date, time, and location from the registry.
Processed campaign name
It stealthily infiltrates systems by dropping and executing a copy of itself in a user-specific directory. To persist, it cunningly modifies registry entries, ensuring its automatic execution upon system startup.
Once installed, it leverages system-level functions to simulate user input, capture keystrokes, and exfiltrate sensitive data. By manipulating mouse and keyboard events and intercepting clipboard content, DarkComet discreetly controls infected systems, posing a significant security threat.
Retrieving Display information connected to the system
It is malicious software that a command-and-control server remotely controls and sends precise instructions or commands to the infected system, enabling the attacker to carry out various malicious activities.
These commands can be used to steal data from the system, modify its settings, or deploy additional malware. Security experts can gain valuable insights into the attacker’s goals and methods by analyzing these commands.
Module handle retrieval for DLL
Learn to Analyze Malware and Cyber Threats
Sign Up for Free
Its versatility, including its ability to manipulate system settings, simulate user input, and manage services, makes it a powerful tool for attackers. The malware’s ease of use and rich feature set have contributed to its widespread deployment, especially in targeted cyberattacks.
What is ANY RUN
-
Detect malware within seconds
-
Analyze and interact with samples in real time
-
Eliminate the need for costly sandbox setup and maintenance
-
Capture and study detailed malware behavior
-
Collaborate seamlessly with your team
-
Scale effortlessly to meet your needs
