www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
Fidelis Threat Advisory #1018
Looking at the Sky for a DarkComet
August 4, 2015
Executive Summary
First created in 2008, DarkComet is an efficient, function-rich remote access tool (RAT) that has
been leveraged against various targets. DarkComet’s author immediately stopped offering the
tool after its use against Syrian dissidents in 2012 by supporters of Syrian President Assad’s
regime, and even the latest version of the tool, a 5.4.1 Legacy that doesn’t include a server
i
builder, was discontinued. Regardless of the fact that the tool is not being actively developed,
the remarkable aspect of DarkComet is the amount of features that it offers via its “Fun Manager”
control panel. The tool provides complete control over a victimized computer, which is why we
believe that it remains a popular choice among a diverse hostile actor set that includes script
kiddies, cyber criminals, and cyber espionage groups. As a result, we expect to see continued
use of DarkComet against targets for the foreseeable future.
Key Findings
•
•
•
•
•
Despite no longer being supported by its author, DarkComet remains active in the wild.
We expect lesser skilled actors to use DarkComet directly; more advanced actors will
likely use the tool in a support capacity after committing an initial intrusion.
While there is broad coverage for variants of this RAT, we have provided a wider set of
detection techniques in this paper [See Appendix A].
Its feature-rich tool sets make it an attractive RAT for hostile actors seeking to gain
unauthorized access into target systems, enabling them to completely control the victim.
This paper provides a comprehensive overview of the feature set and operation of
DarkComet [See Appendix B].
Adversaries using default configurations are vulnerable to detection via Internet scans.
We have conducted such scans and created a global heat map [See Graph 3]. The
complete set of discovered controllers is also available [See Appendix C].
Furthermore, it’s possible to extract configuration information for samples that are
available in malware sharing repositories. We have made available a subset of
Users are granted permission to copy and/or distribute this document in its original electronic form and print copies for personal use.
This document cannot be modified or converted to any other electronic or machine-readable form in whole or in part without prior
written approval of Fidelis Cybersecurity, Inc.
While we have done our best to ensure that the material found in this document is accurate, Fidelis Cybersecurity, Inc. makes no
guarantee that the information contained herein is error free.
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. Final 080415
Page 1 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
configurations in our possession that can be operationalized by enterprise defenders
[See Appendix D].
Threat Overview
DarkComet Remote Access Tool
DarkComet (also called Fynlos and Fynloski) is a Delphi-coded robust remote access tool (RAT)
initially created by a French programmer in 2008 (see Image 1).
A more extensive technical review of DarkComet can be found in Appendix A: Detection,
Appendix B: Technical Analysis, Appendix C: Live DarkComet Clients, and Appendix D: The
Extracted DarkComet Configuration.
Image 1: DarkComet Author “Darkcodersc”
Many of the features of DarkComet can be used to conduct surreptitious surveillance of a target.
The RAT’s robust features include a password-stealing keylogger, and the recording of video and
ii
audio from a compromised computer (for a more complete list of DarkComet capabilities, see
Image 2). DarkComet steals the following information: administrator rights, computer/user name,
iii
language/country, operating system information, RAM used, and web cam information. The
latest version of the tool, a 5.4.1 Legacy, which doesn’t even include a server builder, has been
iv
discontinued.
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 2 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
Image 2: DarkComet Capabilities
While taking control of a victimized computer is a DarkComet capability, stealing information may
not be its only purpose. An investigation suggested that one DarkComet campaign might have
been used to build a distributed denial-of-service (DDoS) bot network to boot gamers offline with
v
SYN flood attacks. The creator subsequently shut down his site that distributed the malware
citing the misuse of the tool and the possible legal ramifications of providing the tool to the public.
DarkComet is typically delivered via e-mail and has been identified in carefully crafted and
targeted spear phishing campaigns. Once the recipient opens the e-mail message and clicks on
the attached document, the RAT is deployed and installed, giving the attacker complete control of
the infected computer.
Although antivirus programs detect the initial code, one security company observed that hackers
who encrypt and pack the main DarkComet tool could avoid antivirus detection. As a result, the
company believes antivirus products should focus detection on not only the main malicious code,
vi
but also on the packer or encrypting tool that is hiding the Trojan.
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 3 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
DarkComet Offers Something for Everyone
The diverse and robust functionality of DarkComet makes it an ideal crossover tool for all types of
malicious actors, particularly cyber criminals and those actors associated with cyber espionage
vii
activity. As early as 2012, there have been indications of the confluence between the two sets of
actor groups with regards to using the same tools. As of 2015, both actor sets have been
viii
observed using the same type of tactics to go after their targets, further blurring the lines
between the two groups.
•
Cyber Espionage Actors
DarkComet first gained notoriety in 2012 when it was allegedly used by the Syrian regime
to spy on dissidents. Suspected regime operators collected information on oppositionist
groups, impersonated opposition leaders in online chats, captured webcam activity,
disabled the notification setting for some antivirus programs, recorded key strokes, and
ix
stole passwords.
DarkComet has also been associated with another suspected cyber espionage
campaign. OPERATION HANGOVER refers to a set of intrusion activity that may have
started as early as September 2010 and continued through 2013 that targeted Pakistani
organizations. OPERATION HANGOVER has more global and for-hire characteristics,
according to a report, which couldn’t determine if the operation was sponsored or
directed by a nation state. However, specific targets such as government, legal, financial,
x
media, and telecom are typically more in line with intelligence collection and exploitation
rather than theft of money or personal identifiable information. In some instances,
xi
DarkComet was used as the final payload.
Finally, DarkComet has been used to target sensitive organizations in the Asia-Pacific
region. In 2014, one security vendor observed threat actors exploiting old vulnerabilities
in various software and applications. Its findings saw DarkComet being used in targeted
attacks as far back as 2012, with most victims located in Taiwan, Japan, the United
xii
States, and Vietnam, respectively.
•
Cyber Crime Actors
RATs are still important tools for cyber criminals, despite the development of other
popular criminally focused tools such as the Dyre Trojan, for example. In 2015, cyber
criminals exploited the hashtag #JeSuisCharlie after the terrorist attack against the
French satirical newspaper Charlie Hebdo to spread DarkComet. The variant dropped a
copy of itself with the name svchost.exe and displayed the image of a newborn baby with
xiii
a band carrying the name “Je suis Charlie”.
Since 2014 there have been indications that Nigerian actors have evolved their 419 fraud
xiv
scams. In many of these instances, these actors implemented such tools as Netwire
RAT and DarkComet RAT, among others. One campaign cited suspected Nigerian actors
engaged in APT-like activities targeting oil transportation tankers in order to siphon off
xv
credentials and data. For more information, see Fidelis Threat Advisory #1017,
Phishing in Plain Sight.
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 4 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
•
Script Kiddies
DarkComet is a popular tool for these unskilled actors because of its facile utility and
user-friendly “Fun Manager” control panel. Typically, this actor set has used DarkComet
to take control over a computer’s web cam to spy on their victims. According to one
prominent information security researcher, he has observed DarkComet controllers with
xvi
hundreds of thousands of connections.
•
Unattributed Actors
There are targets that could have been chosen by either espionage or criminal actors
depending on the actor’s intent, which sometimes based on published information,
cannot be ascertained. For example, in March 2015, one security vendor detected a
spear phishing campaign that targeted Danish architectural firms. The e-mails contained
xvii
a link to a cloud-based file sharing service that when clicked installed DarkComet.
Fidelis Review of DarkComet Over 12 Months
During a 12-month period (July 2014 – July 2015), we observed DarkComet activity targeting our
customers in various sectors. While we only have visibility into a portion of the global DarkComet
activity, it does provide some insight into the types of sectors where hostile actors are leveraging
this tool. The top five sectors targeted during this time period were:
•
•
•
•
•
Technology/Manufacturing
Consulting
Financial Services
Government
Critical Infrastructure
The e-mail protocol was the primary vector by which DarkComet was delivered to our customers.
Many of the filename techniques observed were consistent with being associated with
spearphishing activity.
Graph 1: Incidents Observed with DarkComet
When delivered via e-mail protocols, we have observed the following file names used in various
campaigns.
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 5 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
Graph 2: Top 10 DarkComet File Names
Further, we have observed live controllers with default settings with the following distribution:
Graph 3: DarkComet Infrastructure
Risk Assessment
Due to DarkComet’s history in the wild and the fact that it’s not being actively developed, security
vendors have created signatures for its detection. However, it should be noted that there have
been numerous incidents of adversaries encrypting the main DarkComet tool to bypass detection.
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 6 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
The use of RATs in high-profile breach activity indicates that they remain a viable tool to gain
access and compromise target systems. Due to their history of success in these endeavors
coupled with the increased sophistication developed in these tools, we expect RAT functionality
to continue to evolve, and be used by all categories and skill levels of actors.
The Fidelis Take
DarkComet remains a popular RAT for a diverse hostile actor set. Its feature-rich tool set provides
capabilities that support criminals, espionage actors, and script kiddies demonstrating its
adaptability and ease of use.
The popularity of RAT use in high-profile breaches indicates that they possess the desired
applicability for hostile actors against even the most prominent of targets. For example, RATs
have been found on supervisory control and data acquisition systems in critical infrastructure over
xviii
the past few years, which could provide attackers with remote access of some very sensitive
process controls. Based on past success history and increased sophistication of functionality, we
can expect RATs to continue to evolve and be used against all systems by all types of actors.
While there will always be newer, more sophisticated RATs being developed, earlier RAT models
such as Back Orifice (released in 2000) and Poison Ivy (released in 2005) still remain effective
means to gain unauthorized access into unprotected systems. We believe the DarkComet RAT
will continue to be used for the foreseeable future; however, unless an independent individual or
group actively tries to update it or obfuscates it via the use of a downloader, security vendors
successfully detect the malware. Therefore, our estimation is that less sophisticated actors will
continue to primarily use this tool delivered directly via spear-phish or drive-by. More advanced
actors will likely use this tool sparingly after an intrusion has been achieved to deliver other
malware into the compromised target system.
Fidelis Cybersecurity’s advanced threat defense product, Fidelis XPS
documented in this paper.
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
TM
, detects all of the activity
Rev. 2015-07-28
Page 7 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
References
i
Kimberly. (2014, June 8). Self-extracting archive or DarkComet? Retrieved from
http://stopmalvertising.com/malware-reports/self-extracting-archive-or-darkcomet.html
ii
McMillan, R. (2012, July 11). How the boy next door accidentally built a Syrian Spy Tool.
Retrieved from http://www.wired.com/2012/07/dark-comet-syrian-spy-tool/
iii
(2014, September 3). DarkComet. Retrieved from http://www.trendmicro.com/vinfo/us/threatencyclopedia/malware/DARKCOMET
iv
Kimberly. (2014, June 8). Self-extracting archive or DarkComet? Retrieved from
http://stopmalvertising.com/malware-reports/self-extracting-archive-or-darkcomet.html
v
Burton, G. (2012, July 13). Retrieved from http://www.computing.co.uk/ctg/news/2191332/darkcomet-trojan-modified-and-used-against-government-and-gamers
vi
Neagu, A. (2015, March 26). Security alert: infamous DarkComet RAT used in spear phishing
campaigns. Retrieved from https://heimdalsecurity.com/blog/darkcomet-rat-phishingcampaigns/
vii
Higgins, K.J. ((2012, June 21). The intersection between cyberespionage and cybercrime.
Retrieved from http://www.darkreading.com/attacks-breaches/the-intersection-betweencyberespionage-and-cybercrime/d/d-id/1137910?
viii
Higgins, K.J. (2015, February 24). Cybercrime, cyber espionage tactics converge. Retrieved
from http://www.darkreading.com/analytics/threat-intelligence/cybercrime-cyberespionage-tactics-converge/d/d-id/1319203
ix
(2012, July 10.) DarkComet RAT used by Syrian regime to spy on activists, shut down.
Retrieved from http://www.infosecurity-magazine.com/news/darkcomet-rat-used-bysyrian-regime-to-spy-on/
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 8 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
x
Kaplan, D. (2013, May 20). Espionage hacking campaign “Operation Hangover” originates in
India. Retrieved from http://www.scmagazine.com/espionage-hacking-campaignoperation-hangover-originates-in-india/article/294135/
xi
Fagerland, S., Krakvik, M., and Camp, J. (May 2013). Operation Hangover: Unveiling an Indian
cyberattack infrastructure. Retrieved from http://enterprisemanage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastruct
ure.pdf
xii
(2014). Targeted attack trends in Asia-Pacific. Retrieved from
http://www.trendmicro.co.in/in/cloud-content/apac/pdfs/security-intelligence/reports/rpt1h-2014-targeted-attack-trends-in-asia-pacific.pdf
xiii
Paganini, P. (2015, January 17). Criminals exploited ‘Je Suis Charlie’ to spread DarkComet
malware. Retrieved from http://securityaffairs.co/wordpress/32332/cyber-crime/criminalsje-suis-charlie-darkcomet.html
xiv
Krebs, B. (2015, May 20). Security firm redefines APT: African phishing threat. Retrieved from
http://krebsonsecurity.com/2015/05/security-firm-redefines-apt-african-phishing-threat/
xv
(May 2015). Operation Oil Tanker. Retrieved from
http://www.pandasecurity.com/mediacenter/src/uploads/2015/05/oil-tanker-en.pdf
xvi
Breen, K. (2015, July 12). DarkComet from defense to offense – identify your attacker.
Retrieved from https://www.youtube.com/watch?v=tRM6HrW7BAc&feature=youtu.be
xvii
(March 2015). Security threat report – March 2015. Retrieved from
https://www.solutionary.com/threat-intelligence/threat-reports/monthly-threatreports/2015/03/security-threat-report-march-2015/
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 9 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
xviii
Ackerman, R. (2015, July 1). Destructive cyberattacks increase in frequency, sophistication.
Retrieved from http://www.afcea.org/content/?q=Article-destructive-cyber-attacksincrease-frequency-sophistication
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 10 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
Fidelis Threat Advisory #1018
Looking at the Sky for a DarkComet
APPENDIX A: Detection
Host:
Default Mutex: DC_MUTEX-[A-Z0-9]{7}
Default Dropped File: *\MSDCSC\msdcsc.exe
Keylog Files: %TMP%/dclogs/YYYY-MM-DD-#.dc
Registry Persistence:
HKCU/Software/Microsoft/Windows/CurrentVersion/Run/
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Hidden iexplorer.exe processes with no visible parent process
Host file changes
5.4 Legacy Server Module has a visible GUI and system tray icon
Yara Rules:
rule DarkComet
{
meta:
description = "DarkComet RAT"
author = "Fidelis Cybersecurity"
date = "2015-07-22"
strings:
$s1 = "#KCMDDC"
$s2 = "DCDATA"
$s3 = "#BOT#CloseServer"
$s4 = "#BOT#SvrUninstall"
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 11 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
$s5 = "#BOT#URLDownload"
condition:
uint16(0) == 0x5a4d and filesize < 50MB and all of ($s*)
}
rule DarkCometDownloader
{
meta:
description = "DarkComet RAT Downloader"
author = "Fidelis Cybersecurity"
date = "2015-07-22"
strings:
$s1 =
{6A00FF15F0304000A30D1040006A0A68261040006A00FF15F4304000A311104000FF
35111040006A00FF15F8304000A315104000FF35111040006A00FF15FC304000A3191
04000FF3515104000FF1500314000A31D104000FF3519104000FF351D104000682C11
4000FF1508314000FF3515104000FF150C31400031C0682C104000682C104000FF151
43140006805104000682C104000FF1510314000682C104000FF15183140006A006A00
682C104000682C1140006A00FF15803040006A056A006A00682C10400068001040006
A00FF15A83040006A00FF1504314000}
condition:
uint16(0) == 0x5a4d and filesize < 10KB and all of them
}
Network:
Default Port: 1604 TCP
Dynamic DNS: No-IP.com
Default Banners:
8EA4AB05FA7E
B47CB892B702
C7CF9C7CD932
155CAD31A61F
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 12 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
1164805C82EE
BF7CAB464EFB
Check for regular beaconing and inspect FTP Traffic because the keylogger can be configured to
deliver data over FTP.
Appendix B: Technical Analysis
Components
DarkComet has several major components. The first component is the client that is used by the
attacker. It serves as the controller and the builder of the other components. The client can build
a simple downloader and it can also build the server component that is installed on victim
machines.
Image 3: DarkComet Example Server Module Connecting to Attacker Client with Port
Forwarding on a Router
Client
After accepting the EULA, the main screen of the DarkComet client shows up. We can see the
different tabs for the Users connected, On Connect tasks, User’s logs, and Sockets. There is also
a menu to add a new port to listen, client settings, embedded FTP Client, About, Help, and an
Exit.
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 13 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
Image 4: DarkComet 5.4 Legacy Client Main Window
We can see the main difference between the 5.4 version of the builder we obtained and the 5.3
version in this menu. The 5.3 version includes the functionality to build the server module and the
downloader module. The 5.4 Legacy includes an installer for the server module that has a visible
GUI and is configured on the victim system. The 5.4 version looks to be more of an attempt to
appear like a legitimate administration tool and is less stealthy because of this.
Image 5: DarkComet 5.3 Main Menu Showing Server Module and Server Downloader
Builder Options
The client includes the ability to add additional ports to listen on and can attempt to setup up port
forwarding automatically via UpNP.
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 14 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
Image 6: DarkComet 5.4 General Settings
The client includes many features under the client settings selection from the main menu.
•
•
•
•
•
•
•
•
The general settings page includes various options for display and some automatic
actions to apply when a new victim connects.
The client layout page includes the ability to change the skin of the client and includes
several built-in templates.
The functions manager page allows the ability to enable or disable the many different
features that DarkComet has.
The ftp wallet has the ability to store FTP credentials that can be used for the offline
keylogger uploads with the built-in FTP wallet.
The built-in No-IP Updater can automatically update a No-IP DNS record when the
client’s IP changes or is moved.
The pushme notify page used to provide the ability to send push notifications to a mobile
phone using the pushme.to service when it was online. This would allow attackers to
keep tabs on the number of victims they have and other system statistics on their mobile
phone.
The manage users group page allows attackers to group victims.
The notes page allows attackers to keep notes.
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 15 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
•
The manage local db includes a tab for user information like IP address and operating
system. There is also another tab that includes the keylogger data stored in the
database.
When a victim connects to the client console they are displayed on the Users tab along with
GeoIP information, IP address, computer name, operating system, language, network latency,
idle time, first execution of DarkComet, and other system information.
Image 7: DarkComet User Connected
DarkComet has the ability to execute certain commands on connect like Open a URL, Ping,
Download a File, or Shell execute among others. The Users logs tab shows the various actions
taken on the different victim systems. The Socket tab shows all of the different ports that
DarkComet is listening on.
The attacker can right click on a user on the Users tab to open a menu of some of the options
that DarkComet has. It is difficult to understand why a true administration tool would contain
commands to perform a DDoS, but those features are there.
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 16 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
Image 8: DarkComet Command Menu
When the control center is opened up through this menu the plethora of DarkComet capabilities
are displayed.
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 17 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
Image 9: DarkComet Capabilities
The DarkComet has the ability to obtain a variety of system information about the victims.
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 18 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
Image 10: DarkComet Computer Information
One of the most interesting parts about DarkComet is the FunManager. These features allow the
attacker to troll the victims and aggravate them. There are a variety of features that hide/show
parts of the operating system, open/close the CD, play a piano, send a messagebox, have
Microsoft Reader read messages, and initiate a remote chat.
Image 11: DarkComet FunManager
Attackers can use the remote chat feature to interact with the victims.
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 19 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
Image 12: DarkComet Remote Chat with Victims
DarkComet includes more nefarious functions that allow an attacker full control of a victim
system. These features include a process manager, remote registry, Windows List, Uninstall
Applications, System Priviledges, and the ability to edit the MSConfig to change
Services/Registry Startup.
The hosts file is located in %SystemRoot%\System32\drivers\etc\hosts and has preference over
DNS lookups in the operating system mapping between hostnames and IP addresses. Using this
feature, an attacker could effectively redirect any DNS record to their attacker IP to perform ManIn-The-Middle attacks.
DarkComet also provides the ability to launch HTML, Batch, or Visual Basic Scripts against
victims. There is a remote file manager of the victims file system with the ability to send, receive,
or search for files. DarkComet’s most surreptitious features include the ability to steal stored
passwords and turn on the webcam and/or microphone of its victims. DarkComet can also
retrieve uTorrent Download Logs of victims and change MSN Messenger status and view
contacts.
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 20 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
Image 13: DarkComet Webcam Viewer and Sound Recorder
DarkComet’s Remote Desktop capability allows attackers to take complete control of a victim
system.
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 21 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
Image 14: DarkComet Remote Desktop Settings
DarkComet’s Keylogger capability records the victim’s keystrokes as well as the window. The
logs are stored by date and can be exported and searched by the attacker.
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 22 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
Downloader
The 5.3 client includes the ability to create a downloader. It is a simple program that downloads
the DarkComet executable to %TEMP%/tmp.exe and executes it. The attacker can choose to
create an exe, com, bat, pif, or scr.
Image 15: DarkComet Downloader Builder
Image 16: DarkComet Downloader in Debugger
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 23 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
Image 17: DarkComet Downloader Decompiled
Server Module
The 5.4 server module comes with an installer similar to the full install shown earlier. It attempts
to look more like an administration tool. It has a GUI that is visible on the victim system and it
must be configured on the victim system. It also displays a system tray icon.
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 24 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
Image 18: DarkComet RAT 5.4 Server Module Main Screen
The 5.3 server module is built from the 5.3 client GUI and includes a lot more malware like
features. The server module can be built using the minimal editor or the full editor.
Image 19: DarkComet Server Module Menu
The minimalist menu includes a limited amount of options such as the ID, IP, and port to connect
back to, destination path, and icon.
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 25 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
Image 20: DarkComet Minimalist Server Module Editor
The full editor has many more features and includes the ability to save profiles. The main settings
screen has the option for an additional password. The option is not selected by default and when
it is selected, the default password is “0123456789”. There is a randomly generated mutex that
follows the regular expression pattern of DC_MUTEX-[A-Z0-9]{7}.
Image 21: DarkComet Server Module Full Editor Main Settings
DarkComet has the ability to perform process hijacking where it injects into Internet Explorer in
order to attempt to bypass firewall restrictions.
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 26 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
Image 22: DarkComet Creating an Internet Explorer Process in a Suspended State
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 27 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
Image 23: DarkComet Process Hijacking with VirtualAllocEx and WriteProcessMemory
The malicious Internet Explorer process doesn’t have a parent process, which bears noting. We
see that some of the DarkComet strings are present in the process memory.
Image 24: DarkComet Hijacked Internet Explorer Process
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 28 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
DarkComet has several startup settings and persistence options that can be configured.
DarkComet can drop its permanent file in the following locations:
Image 25: DarkComet Dropped File Persistence Locations
Although the default ending filepath and name is \MSDCS\msdcsc.exe, it can be configured to
other values. DarkComet can melt the original file after the first execution, change the creation
date, create persistence, and change the dropped file and folder attributes to hidden and system
to make them more difficult to locate.
DarkComet has the option to display a fake install messagebox that could be used to trick a user
into thinking the program had an error.
Image 26: Fake Error Message on Install Used to Trick Victims
DarkComet has what it calls “module shield options” that are more common to malware than true
administration tools. DarkComet has the following shield options:
•
•
•
•
•
•
•
Hide the startup key
Make the process restore if killed
Hide the executable and folder from explorer
Disable the task manager, disable the registry editor
Disable the Windows firewall
Disable User Account Control
Disable AV notify, Security Center, Windows Update, and the Control Panel on older
systems
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 29 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
The DarkComet keylogger includes the feature to have an offline keylogger. The keylogger data
stores the keystrokes and window name in files located in %TMP%/dclogs/YYYY-MM-DD-#.dc.
The files can then be later uploaded to the FTP server when they reach a pre-configured size.
The DarkComet keylogger uses SetWindowsHookEx to “install a hook procedure that monitors
low-level keyboard input events” (Microsoft, n.d.).
Image 27: DarkComet Keylogger using SetWindowsHookExA
Image 28: DarkComet HookProcedure Showing Large Switch Statement Structure for
Special Characters
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 30 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
Image 29: DarkComet Using GetKeyboardState and MapVirtualKeyA to Log Keystrokes in
the HookProcedure
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 31 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
Image 30: DarkComet HookProcedure Sample of Switch Cases to Log Special Characters
DarkComet allows the attacker to add plugins for features that they might want. The author
includes an example plugin source that attackers could use to make their own plugins.
The DarkComet server module can be configured to use a custom icon to further trick victims. A
custom icon can be selected from a path or a selection of pre-added icons can be chosen.
The final page of the DarkComet server module builder has options for the attacker to choose the
type of file they would like to create from an exe, com, bat, pif, or scr. There is also an option to
use the UPX or MPRESS packer to help obfuscate and compress the server module.
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 32 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
Configuration Extraction
The DarkComet config is stored in the DCDATA resource in the executable.
Image 31: DarkComet Config Stored in the Resource
When DarkComet is executed the resource and key are located and then decoded.
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 33 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
Image 32: DarkComet Resource and Key in Registers
Image 33: DarkComet Configuration Visible in Memory
As long as it has not been modified or packed, the configuration for DarkComet can be easily
extracted (via the binary on disk or by extracting it from memory), using Kevin Breen’s RAT
decoder python script listed in the references.
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 34 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
Image 34: Example of Kevin Breen’s DarkComet RAT Decoder (Breen, 2014)
Network Traffic
DarkComet uses TCP port 1604 by default. DarkComet traffic is encrypted using the popular RC4
stream cipher. DarkComet by default also uses a different hardcoded password depending on the
version to encrypt the traffic.
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 35 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
Image 35: DarkComet RC4 Implementation
DarkComet has a banner that it sends after a three-way TCP handshake is completed. The
banner is the RC4 encrypted ASCII hex representation of “IDTYPE” (Breen, 2015).
Version
Default Hardcoded Password
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Default Encrypted IDTYPE Banner
(Breen, 2015)
Rev. 2015-07-28
Page 36 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
#KCMDDC2#
#KCMDDC2#-890
8EA4AB05FA7E
#KCMDDC4#
#KCMDDC4#-890
B47CB892B702
#KCMDDC42#
#KCMDDC42#-890
C7CF9C7CD932
#KCMDDC42F#
#KCMDDC42F#-890
155CAD31A61F
#KCMDDC5#
#KCMDDC5#-890
1164805C82EE
#KCMDDC51#
#KCMDDC51#-890
BF7CAB464EFB
It is possible to use Shodan to search for all of the default DarkComet command and control
servers that use the default port and default credentials. We found 298 at the time of writing
(7/2015). The complete list of IP addresses can be found in Appendix C.
Image 36: Shodan Results of DarkComet on the Default Port with the Default Password
DarkComet also has the ability to append an additional password to the hardcoded password.
The default password that the builder pre-populates is “0123456789”. If the default password was
used with DarkComet version 5.3 then the traffic encryption key would be:
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 37 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
“#KCMDDC51#-8900123456789”
The DarkComet TCP stream looks like a bunch of data. The sample traffic in the screenshot
below was generated from a DarkComet version 5.3 sample with the default additional security
password.
Image 37: DarkComet 5.3 TCP Stream
We can decrypt the first few bytes from the RAT client to the RAT server module with a simple
Python one-liner using the RC4 key “#KCMDDC51#-8900123456789”.
python -c "from Crypto.Cipher import ARC4; print ARC4.new(\"#KCMDDC51#8900123456789\").decrypt(\"DACA20185D99\".decode('hex'))"
Output: IDTYPE
As expected we see the correct banner “IDTYPE”.
Next, the RAT server module responds with a response that we decrypt using the same key:
python -c "from Crypto.Cipher import ARC4; print ARC4.new(\"#KCMDDC51#8900123456789\").decrypt(\"C0CB2617488E\".decode('hex'))"
Output: SERVER
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 38 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
The RAT client next sends a command that we decrypt:
python -c "from Crypto.Cipher import ARC4; print ARC4.new(\"#KCMDDC51#8900123456789\").decrypt(\"D4EB00124492B765534F904EED1288DC6206D18C28D7B85CB9
28899F\".decode('hex'))"
Output: GetSIN192.168.66.128|8437546
The RAT server module then responds to the command for system information and we decrypt it
below:
python -c "from Crypto.Cipher import ARC4; print ARC4.new(\"#KCMDDC51#8900123456789\").decrypt(\"FAE0122E68AFC1290412D549E3408FD37E19D2826CC1BA59A0
2C8F91B732090C5C1CABDF8299AB72ACB0A10BBCC9B7A0CF5C8552A1D06EA883526BA1
5F6105E77847E4FE9C11C7428A22339360F408177657893860317264E9C560B893F5451A53
CE69CBB95A947F986ED0B64CDBB2C8AD0EAA233C472915FABD7F58624EC29D9F7974D8
C319548C8FAA60499ED32A633533E1CAB948CEA367DDA38572506F2994CD0D35E93B6F16
4853291D99D1803C8B0CC76EB6E0E046F43610BD069AD7886B480D92B8B7036AE1EE28F1
C156C70A9F9DF03EEB79B1F18FB2F818EEA687858550B99DDED297C3EA1F8764D0188CF
E1F3FB2CEEEA826E16234B7263969FAC90A2E900159E494B1821B8A42D61EE4192E3D4A0
1DCDD4A9A01FABB4CF3EB660B317A9A4149ABE00FB7809A173A9652B54FF82CBD146912
E3131F1B8BC857BF59AE623568200D4406EBB3E64FA12E403512548EBD6C5E6B01578A61
E96B6EAB6EE847E97DD91A97D7D27BEDEA6869CA995CCFB0C531045D9DCA15372482B0
C531045D9DCA15372482B0C531045D9DCA15372482\".decode('hex'))"
Output: infoesGuest16|192.168.66.128 / [192.168.66.128] : 1604|WIN-JN4BO8C9KHA /
grandma|8437546|0s|Windows 7 Service Pack 1 [7601] 32 bit ( C:\ )|- (Limited)||US|Capturing
from Local Area Connection [Wireshark 1.12.5 (v1.12.5-0-g5819e5b from master1.12)]|{e29ac6c0-7037-11de-816d-806e6f6e6963-1656107936}|52%|English (United States) US /
-- |7/22/2015
If we look at another DarkComet version 5.3 sample without the extra password and that was
allowed to run longer we can see some of the repeating keepalive messages.
python -c "from Crypto.Cipher import ARC4; print ARC4.new(\"#KCMDDC51#890\").decrypt(\"D573BA5A4EFFC3FB629308\".decode('hex'))"
Output: #KEEPALIVE#
There is an interesting vulnerability in DarkComet that will likely never be patched because the
author no longer maintains the project. Shawn Denbow and Jesse Hertz discovered the
vulnerability while they were interns at Matasano in 2012. They found that it was possible to
perform an arbitrary file read against the DarkComet Client (Denbrow & Hertz, 2012). The
DarkComet database could be downloaded to see what was taken or other files that could
potentially identify the person behind the attacks.
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 39 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
Image 38: Shawn and Jesse’s Quickup Script to Download the DarkComet SQLite
Database
Image 39: Example DarkComet SQLite Database that can be downloaded
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 40 of 41
Looking at the Sky for a DarkComet
www.fidelissecurity.com
www.threatgeek.com
@FidSecSys
+1800.652.4020
References:
Breen, K. (2015). DarkComet From Defense To Offense - Identify your Attacker. Retrieved from
https://youtu.be/tRM6HrW7BAc
Breen, K. (2014, July 23). Look inside a DarkComet Campaign. Retrieved from
https://techanarchy.net/2014/07/dark-comet-campaign/
Breen, K. (2014). RATDecoders DarkComet.py. Retrieved from
https://github.com/kevthehermit/RATDecoders/blob/master/DarkComet.py
Denbow, S., & Hertz, J. (2012). Pest control: Taming the rats. Retrieved from
https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/PESTCONTROL.pdf
DarkComet RAT. (2011). Retrieved from http://www.contextis.com/resources/blog/malwareanalysis-dark-comet-rat/
Kujawa, A. (2012, October 5). DarkComet 2: Electric Boogaloo. Retrieved from
https://blog.malwarebytes.org/intelligence/2012/10/dark-comet-2-electric-boogaloo/
Kujawa, A. (2012, June 9). You Dirty RAT! Part 1 – DarkComet.
Microsoft. (n.d.). Windows API Index. Retrieved from https://msdn.microsoft.com/enus/library/windows/desktop/ff818516(v=vs.85).aspx
Quequero. (2012, March 16). DarkComet Analysis – Understanding the Trojan used in Syrian
Uprising. Retrieved from http://resources.infosecinstitute.com/darkcomet-analysis-syria/
Stallings, W. (2005). The RC4 Stream Encryption Algorithm.
Złośliwe oprogramowanie dla bankowości korporacyjnej. (2013). Retrieved from
http://prevenity.com/files/Atak_bankowosc_korporacyjna_2013.pdf
Copyright © 2015 Fidelis Cybersecurity
Threat Advisory #1018
Rev. 2015-07-28
Page 41 of 41
Looking at the Sky for a DarkComet