DarkComet

DarkComet is a Windows remote administration tool and backdoor.[1][2]

ID: S0334
Associated Software: DarkKomet, Fynloski, Krademok, FYNLOS

Type: MALWARE
Platforms: Windows

Version: 1.0

Associated Software Descriptions

NameDescription
DarkKomet[1]
Fynloski[1]
Krademok[1]
FYNLOS[1]

Techniques Used

DomainIDNameUse
EnterpriseT1123Audio CaptureDarkComet can listen in to victims' conversations through the system’s microphone.[1][2]
EnterpriseT1115Clipboard DataDarkComet can steal data from the clipboard.[2]
EnterpriseT1059Command-Line InterfaceDarkComet can launch a remote shell to execute commands on the victim’s machine.[2]
EnterpriseT1089Disabling Security ToolsDarkComet can disable Security Center functions like anti-virus and the Windows Firewall.[1][2]
EnterpriseT1056Input CaptureDarkComet has a keylogging capability.[1]
EnterpriseT1036MasqueradingDarkComet has dropped itself onto victim machines with file names such as WinDefender.Exe and winupdate.exe in an apparent attempt to masquerade as legitimate.[1]
EnterpriseT1112Modify RegistryDarkComet adds a Registry value for its installation routine to the Registry Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System Enable LUA=”0” and HKEY_CURRENT_USER\Software\DC3_FEXEC.[1][2]
EnterpriseT1057Process DiscoveryDarkComet can list active processes running on the victim’s machine.[2]
EnterpriseT1060Registry Run Keys / Startup FolderDarkComet adds several Registry entries to enable automatic execution at every system startup.[1][2]
EnterpriseT1076Remote Desktop ProtocolDarkComet can open an active screen of the victim’s machine and take control of the mouse and keyboard.[2]
EnterpriseT1105Remote File CopyDarkComet can load any files onto the infected machine to execute.[1][2]
EnterpriseT1064ScriptingDarkComet can execute various types of scripts on the victim’s machine.[2]
EnterpriseT1045Software PackingDarkComet has the option to compress its payload using UPX or MPRESS.[2]
EnterpriseT1071Standard Application Layer ProtocolDarkComet can use HTTP for C2 communications.[2]
EnterpriseT1082System Information DiscoveryDarkComet can collect the computer name, RAM used, and operating system version from the victim’s machine.[1][2]
EnterpriseT1033System Owner/User DiscoveryDarkComet gathers the username from the victim’s machine.[1]
EnterpriseT1125Video CaptureDarkComet can access the vicitm’s webcam to take pictures.[1][2]

Groups

Groups that use this software:

APT38
SilverTerrier

References