Architectural companies targeted by new DarkComet RAT campaign

Companies which are active in architecture are being targeted by a malicious email campaign that is sending DarkComet infected files. The cybercriminals behind the “architecture Darkcomet campaign” are trying to force the “AutoCad-export.exe” file to unaware users.

The “AutoCad-export.exe” file has been identified by the CSIS company, and they have run the “AutoCad-export.exe” DarkComet file through the VirusTotal service. View the VirusTotal report here.

VirusTotal report on the DarkComet malware
VirusTotal report on the DarkComet malware

The Architectural companies malicious email

The malicious email has targeted Danish architecture firms, and the found email has been written in the Danish language. The CSIS report states that the cybercriminals have hidden the AutoCad-Export.exe file behind an pictogram which is actually a malformed AutoCad icon.

CSIS reports that when the file is opened, the file starts collecting massive amounts of data. The CSIS company has also identified it as a data stealer. The DarkComet RAT contains various features which allow the cybercriminals or the operators to take full control over the device.

Here are a couple of features which are included in the DarkComet RAT:

  • Keylogger
  • Webcam starter
  • Microphone starter
  • Remote Desktop Control
  • Clipboard stealer

The CSIS report has provided some critical values for security researchers. The architecture malicious campaign creates the following files in the provided directories:

  • C:DOCUME~1[Brugerprofil]LOCALS~1TempAutoCad-export.INI
  • C:DOCUME~1[Brugerprofil]LOCALS~1TempAutoCad-export.exe.config
  • C:DOCUME~1[Brugerprofil]LOCALS~1TempAutoCad-export.exe
  • C:nzlvnwssfdllyuESBS.dll

And it also changes the following registry keys:

  • HKEY_CLASSES_ROOTAppIDwinsec.exe
  • HKEY_CLASSES_ROOTAppIDAutoCad-export.exe

Another interesting fact is the clue that the Remote Access Trojan holds techniques to hide from Virtual Environments like VirtualBox. It is known that security researchers will run found malware in Virtual machines and the cybercriminals behind the campaign have included techniques to trick the VirtualBox machines.

The cybercriminals also provided a sleep function to the DarkComet Trojan, the sleep timer has been set to 3 minutes. This means that the DarkComet Trojan will start operating after 3 minutes.

The DarkComet trojan campaign is using the following C&C server:

  • 107.191.46.220