1. Home
  2. Software
  3. DarkComet

DarkComet

DarkComet is a Windows remote administration tool and backdoor.[1][2]

ID: S0334
Associated Software: DarkKomet, Fynloski, Krademok, FYNLOS
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 29 January 2019
Last Modified: 28 March 2020

Associated Software Descriptions

Name Description
DarkKomet

[1]
Fynloski

[1]
Krademok

[1]
FYNLOS

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

DarkComet has dropped itself onto victim machines with file names such as WinDefender.Exe and winupdate.exe in an apparent attempt to masquerade as a legitimate file.[1]
Enterprise T1112 修改注册表

DarkComet adds a Registry value for its installation routine to the Registry Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System Enable LUA="0" and HKEY_CURRENT_USER\Software\DC3_FEXEC.[1][2]
Enterprise T1115 剪贴板数据

DarkComet can steal data from the clipboard.[2]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

DarkComet adds several Registry entries to enable automatic execution at every system startup.[1][2]
Enterprise T1059 命令与脚本解释器

DarkComet can execute various types of scripts on the victim’s machine.[2]
.003 Windows Command Shell

DarkComet can launch a remote shell to execute commands on the victim’s machine.[2]
Enterprise T1562 .001 妨碍防御: Disable or Modify Tools

DarkComet can disable Security Center functions like anti-virus.[1][2]
.004 妨碍防御: Disable or Modify System Firewall

DarkComet can disable Security Center functions like the Windows Firewall.[1][2]
Enterprise T1071 .001 应用层协议: Web Protocols

DarkComet can use HTTP for C2 communications.[2]
Enterprise T1027 .002 混淆文件或信息: Software Packing

DarkComet has the option to compress its payload using UPX or MPRESS.[2]
Enterprise T1082 系统信息发现

DarkComet can collect the computer name, RAM used, and operating system version from the victim’s machine.[1][2]
Enterprise T1033 系统所有者/用户发现

DarkComet gathers the username from the victim’s machine.[1]
Enterprise T1125 视频捕获

DarkComet can access the victim’s webcam to take pictures.[1][2]
Enterprise T1105 输入工具传输

DarkComet can load any files onto the infected machine to execute.[1][2]
Enterprise T1056 .001 输入捕获: Keylogging

DarkComet has a keylogging capability.[1]
Enterprise T1057 进程发现

DarkComet can list active processes running on the victim’s machine.[2]
Enterprise T1021 .001 远程服务: Remote Desktop Protocol

DarkComet can open an active screen of the victim’s machine and take control of the mouse and keyboard.[2]
Enterprise T1123 音频捕获

DarkComet can listen in to victims' conversations through the system’s microphone.[1][2]

Groups That Use This Software

ID Name References
G0134 Transparent Tribe

[3]
G0083 SilverTerrier

[4]
G0082 APT38

[5]

References

  1. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
  2. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  3. Falcone, R. and Conant S. (2016, March 25). ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe. Retrieved September 2, 2021.
  1. Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.
  2. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.