Summary:
In a report from ANY.RUN, DarkComet is highlighted as a highly versatile and dangerous Remote Access Trojan (RAT) that has been a persistent threat since its creation by Jean-Pierre Lesueur in 2008. This malware allows attackers to gain unauthorized control over infected systems, stealing sensitive data while running silently in the background. DarkComet is capable of gathering a wide range of information, including stored credentials, usernames, passwords, and details about the system and network activity. This information is then transmitted back to a command-and-control (C2) server specified by the attacker, making it an effective tool for spying and data exfiltration.

One of the key features of DarkComet is its ability to evade detection. It can disable antivirus programs and other Windows security features, allowing it to operate without raising suspicion. This stealthy behavior means that users often remain unaware of its presence on their systems. The malware is distributed through various methods, including bundling with seemingly legitimate free software, disguising itself as harmless attachments in phishing emails, and exploiting software vulnerabilities found on compromised websites.

DarkComet's popularity among cybercriminals is partly due to its user-friendly graphical interface, which makes it accessible even to those with limited technical expertise. This ease of use has led to its widespread deployment, particularly in targeted attacks where precise control over an infected system is required.

The technical analysis of DarkComet reveals its ability to alter system files and attributes, making its components harder to detect. It uses commands to hide files and mark them as critical system files, effectively blending into the operating system. DarkComet drops an executable file on the infected machine, running it from hidden locations to make it more difficult for security tools to track. It also interacts with Windows APIs to modify process privileges, enhancing its control over the infected system's environment.

DarkComet's capabilities extend to interacting with system hardware and settings. It uses APIs to collect detailed information about the infected machine's hardware profile, including unique identifiers and configuration details, such as docked or undocked states. This information helps the malware adapt its behavior based on the system's characteristics. Additionally, it retrieves date, time, and location settings from the registry, providing attackers with context about the infected device's environment.

One of the more advanced functions of DarkComet involves simulating user actions like mouse movements and keyboard input. Using functions like mouse_event and keybd_event, the malware can mimic user actions to interact with the system in a way that appears natural, making it harder to detect. DarkComet also records keystrokes, capturing everything typed on the infected machine, which can include sensitive information like login credentials and personal messages.

The malware communicates with a command-and-control (C2) server to receive instructions, enabling attackers to remotely manipulate the infected machine. This communication allows them to perform a range of actions, such as stealing files, modifying system settings, and even deploying additional malware. The C2 server gives attackers the flexibility to adapt their strategy based on the data gathered from the victim's system.

Analyst Comments:
According to the report, persistence is a crucial aspect of DarkComet's design. It achieves this by creating entries in the Windows registry that ensure the malware starts automatically with the system, even after a reboot. It modifies keys like SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run to point to the malware's executable, maintaining a foothold on the infected system. Additionally, it changes critical Windows registry settings, such as the WinLogon key, to further embed itself within the operating system's startup processes.

DarkComet's ability to retrieve information from connected display devices and clipboard data, along with its other functionalities, makes it a comprehensive tool for cyber espionage. The RAT can extract data from the clipboard, including images and text, and access display device information using specific Windows APIs. This further enhances its capability to monitor and control the infected system, providing attackers with extensive insights into user activity.

The ANY.RUN report concludes that DarkComet remains a potent threat in the realm of cybersecurity due to its combination of stealth, versatility, and ease of use. Despite being around for over a decade, it continues to be a favored tool among cybercriminals for conducting remote surveillance, stealing sensitive data, and launching targeted attacks. Its ability to manipulate infected systems extensively, evade detection, and maintain persistence makes DarkComet a serious concern for both individual users and organizations, emphasizing the need for vigilance and robust security measures to counter such sophisticated threats.

Suggested Corrections:
To mitigate the risks posed by DarkComet, organizations are advised to implement robust security measures, such as keeping systems up-to-date with the latest patches, using reputable antivirus software, monitoring network activity for suspicious connections, enforcing strict email and download policies, and isolating infected machines to prevent further data exfiltration.

Link(s):
https://any.run/cybersecurity-blog/darkcomet-rat-technical-analysis/