Here are a couple of features which are included in the DarkComet RAT:
- Webcam starter
- Microphone starter
- Remote Desktop Control
- Clipboard stealer
The CSIS report has provided some critical values for security researchers. The architecture malicious campaign creates the following files in the provided directories:
And it also changes the following registry keys:
Another interesting fact is the clue that the Remote Access Trojan holds techniques to hide from Virtual Environments like VirtualBox. It is known that security researchers will run found malware in Virtual machines and the cybercriminals behind the campaign have included techniques to trick the VirtualBox machines.
The cybercriminals also provided a sleep function to the DarkComet Trojan, the sleep timer has been set to 3 minutes. This means that the DarkComet Trojan will start operating after 3 minutes.
The DarkComet trojan campaign is using the following C&C server: