DarkComet RAT used by wide array of attackers

Remote administration software such as the DarkComet RAT has many legal uses but it is unfortunately more known for being frequently misused by a wide array of cyber attackers.

These illegal uses are what made DarkComet’s author put a break on the tool’s further development, but sadly that won’t stop its misuse.

“The real value of the RAT to the attacker is the core remote control functionality that breaches the confidentiality and integrity of the victim and the victim network by allowing the attacker full access to the target system,” points out Arbor Networks researcher Curt Wilson.

“The monitoring of all keystrokes (including passwords, sensitive data entered onto secure sites), control of file upload/download, the ability to steal any file, access network shares, spy via webcam or microphone, download and install additional malware, and other features make these RATs a formidable threat when wielded by a focused attacker.”

He and his colleagues have taken it upon themselves to follow and analyze the recent campaigns using the DarkComet RAT and to try and discover who might be behind them.

They started by looking at the passwords, server IDs and Command & Control infrastructure being used by the RAT itself.

“While it is of course possible for any attacker to set any password, C&C or server ID or name for any reason such as for misdirection purposes, it is also possible that these elements may reflect the intent of the campaign and give a hint towards the actors behind the scenes,” shared Wilson.

And so they discovered that some campaigns targeted visitors of government websites, other online gamers, and others still political dissidents.