Architectural companies targeted by new DarkComet RAT campaign

Here are a couple of features which are included in the DarkComet RAT:

  • Keylogger
  • Webcam starter
  • Microphone starter
  • Remote Desktop Control
  • Clipboard stealer

The CSIS report has provided some critical values for security researchers. The architecture malicious campaign creates the following files in the provided directories:

  • C:DOCUME~1[Brugerprofil]LOCALS~1TempAutoCad-export.INI
  • C:DOCUME~1[Brugerprofil]LOCALS~1TempAutoCad-export.exe.config
  • C:DOCUME~1[Brugerprofil]LOCALS~1TempAutoCad-export.exe
  • C:nzlvnwssfdllyuESBS.dll

And it also changes the following registry keys:

  • HKEY_CLASSES_ROOTAppIDwinsec.exe
  • HKEY_CLASSES_ROOTAppIDAutoCad-export.exe

Another interesting fact is the clue that the Remote Access Trojan holds techniques to hide from Virtual Environments like VirtualBox. It is known that security researchers will run found malware in Virtual machines and the cybercriminals behind the campaign have included techniques to trick the VirtualBox machines.

The cybercriminals also provided a sleep function to the DarkComet Trojan, the sleep timer has been set to 3 minutes. This means that the DarkComet Trojan will start operating after 3 minutes.

The DarkComet trojan campaign is using the following C&C server:

  • 107.191.46.220