DarkComet Malware Resurgence Highlights Growing Cybersecurity Concerns

Threat Group: DarkComet (a.k.a. Fynloski, Breut, Krademok)
Threat Type: Remote Access Trojan (RAT)
Exploited Vulnerabilities: Registry modifications, phishing, drive-by downloads, unpatched software vulnerabilities
Malware Used: DarkComet RAT (Versions 5.3.1, other variants)
Threat Score: High (8.5/10)
Last Threat Observation: October 23, 2024

Overview

DarkComet RAT is a sophisticated and powerful Remote Access Trojan that enables attackers to gain complete control over an infected system. Originally developed for legitimate purposes, it has been repurposed for malicious activity by cybercriminals. This RAT can capture keystrokes, remotely manipulate files, and spy on users via webcams and microphones, making it a formidable tool for cyberattacks. Its ability to persist through registry modifications and operate stealthily makes it particularly challenging to detect and remove.

Key Details

Delivery Method: Phishing emails, drive-by downloads, and USB devices
Target: Primarily Windows-based systems
Functions:

• Full remote desktop control
• Keystroke logging for password theft
• Webcam and microphone spying
• File manipulation (upload/download)
• Registry modifications for persistence
• Privilege escalation

Obfuscation: DarkComet evades detection by manipulating file attributes, using stealthy installation methods, and altering system settings for persistence.

Attack Vectors

DarkComet RAT spreads mainly through phishing emails that lure victims into downloading malicious attachments or visiting compromised websites. Once installed, it communicates with a Command and Control (C2) server to receive commands, execute remote operations, and exfiltrate data. The malware modifies the system’s registry to ensure persistence, making it difficult to remove. It also escalates privileges to gain administrative control of the infected machine, further increasing its threat potential.

Known Indicators of Compromise (IoCs)

• File Hashes:
  • MD5: 1b540a732f2d75c895e034c56813676a
  • SHA-1: 0dd8c542fd46dd5b55eefcf35382ee8903533703
  • SHA-256: 90d3dbe2c8ae46b970a865f597d091688e7c04c7886a1ec287e4b7a0f5e2fcf1
• ATT&CK IDs:
  • T1547.001 – Registry Run Keys / Startup Folder
  • T1564.001 – Hidden Files and Directories
  • T1082 – System Information Discovery
  • T1112 – Modify Registry

Mitigation and Prevention

• User Awareness: Train users to recognize phishing attempts and avoid downloading suspicious attachments.
• Email Filtering: Implement advanced filtering to block phishing emails and malicious links.
• Antivirus and Endpoint Detection: Use updated antivirus and EDR solutions to detect and block DarkComet.
• Two-Factor Authentication (2FA): Enable 2FA for critical systems to prevent unauthorized access.
• System Hardening: Regularly update software and apply security patches.
• Log Monitoring: Continuously monitor logs for signs of suspicious activity, such as unauthorized file or registry changes.

Conclusion

DarkComet RAT remains a serious cybersecurity threat due to its versatile and powerful remote access capabilities. Organizations should prioritize security measures such as user training, email filtering, and robust endpoint protection to mitigate the risks posed by this malware. Regular monitoring and system updates will help reduce exposure to this persistent and stealthy threat.

Sources:

1. ANY.RUN - DarkComet RAT:Technical Analysis of Attack Chain
2. NordVPN - DarkComet RAT Description
3. AlienVault - DarkComet RAT: Technical Analysis of Attack Chain