Register to stream ATT&CKcon 2.0 October 29-30


DarkComet is a Windows remote administration tool and backdoor.[1][2]

ID: S0334
Associated Software: DarkKomet, Fynloski, Krademok, FYNLOS
Platforms: Windows
Version: 1.0

Associated Software Descriptions

Name Description
DarkKomet [1]
Fynloski [1]
Krademok [1]

Techniques Used

Domain ID Name Use
Enterprise T1123 Audio Capture DarkComet can listen in to victims' conversations through the system’s microphone. [1] [2]
Enterprise T1115 Clipboard Data DarkComet can steal data from the clipboard. [2]
Enterprise T1059 Command-Line Interface DarkComet can launch a remote shell to execute commands on the victim’s machine. [2]
Enterprise T1089 Disabling Security Tools DarkComet can disable Security Center functions like anti-virus and the Windows Firewall. [1] [2]
Enterprise T1056 Input Capture DarkComet has a keylogging capability. [1]
Enterprise T1036 Masquerading DarkComet has dropped itself onto victim machines with file names such as WinDefender.Exe and winupdate.exe in an apparent attempt to masquerade as legitimate. [1]
Enterprise T1112 Modify Registry DarkComet adds a Registry value for its installation routine to the Registry Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System Enable LUA=”0” and HKEY_CURRENT_USER\Software\DC3_FEXEC. [1] [2]
Enterprise T1057 Process Discovery DarkComet can list active processes running on the victim’s machine. [2]
Enterprise T1060 Registry Run Keys / Startup Folder DarkComet adds several Registry entries to enable automatic execution at every system startup. [1] [2]
Enterprise T1076 Remote Desktop Protocol DarkComet can open an active screen of the victim’s machine and take control of the mouse and keyboard. [2]
Enterprise T1105 Remote File Copy DarkComet can load any files onto the infected machine to execute. [1] [2]
Enterprise T1064 Scripting DarkComet can execute various types of scripts on the victim’s machine. [2]
Enterprise T1045 Software Packing DarkComet has the option to compress its payload using UPX or MPRESS. [2]
Enterprise T1071 Standard Application Layer Protocol DarkComet can use HTTP for C2 communications. [2]
Enterprise T1082 System Information Discovery DarkComet can collect the computer name, RAM used, and operating system version from the victim’s machine. [1] [2]
Enterprise T1033 System Owner/User Discovery DarkComet gathers the username from the victim’s machine. [1]
Enterprise T1125 Video Capture DarkComet can access the victim’s webcam to take pictures. [1] [2]

Groups That Use This Software

ID Name References
G0083 SilverTerrier [3]
G0082 APT38 [4]