Security Alert: Infamous DarkComet RAT Used In Spear Phishing Campaigns

A few days ago a spear phishing campaign was launched on a number of architecture firms from Denmark.

The phishing campaign is deployed by the same cyber-criminal group that launched similar spear phishing attacks the previous weeks on Danish chiropractors.

As our malware specialists have been able to observe, the e-mails are customized for a specific target in order to increase the chances of success and the content of the e-mail is written in perfect Danish to avoid any suspicion.

In this latest attack, another change has been observed, the malicious code contains the infamous DarkComet RAT.

Before we disclose how this phishing campaign takes place, let us clarify a few technical terms:

What is a Spear Phishing Campaign?

As most people know, phishing refers to online attempts to collect valuable information and sensitive data from an individual or an organization. The targeted information can range from online accounts credentials and credit card details to any economic or political secret data.

Phishing attacks usually target a high number of users by using spam campaigns that contain malicious attachments or links that direct to web locations controlled by cyber-criminals.

A Spear Phishing campaign is slightly different from a normal one. Such a phishing attempt targets specific individuals or institutions.

Before launching such an attack, cyber-criminals collect various pieces of information they can use to customize the bait, which usually is the e-mail they send to the target. Since this type of phishing attack doesn’t go blindly online but is created and adjusted for a known target, the chances of success increase exponentially.

What is DarkComet RAT (Remote Administration Tool)?

As the title reveals, it is a remote administration tool which allows a remote user to control multiple machines from a distance.

If the software is installed on multiple computers, the network can be controlled remotely and used in deploying online attacks on any website. On a single system, the software can make changes to a user’s computer, access documents and send instructions that the target computer will follow.

In other words, this software tool breaches any security and privacy rule and for a company it is nothing but a total disaster.

Though antivirus products can detect the initial code, in the latest malware attacks we have encountered hackers that encrypt and pack the main tool to avoid antivirus detection.

For this reason, antivirus products need to focus their detection capabilities not only on the main malicious code but also on the packer or encrypting tool which hides the trojan.

Though DarkComet RAT builders have discontinued interrupted support for this malicious tool, this software is still sold in the underground malware market and we will continue to hear about it in the future.

How does this phishing campaign spread the DarkComet RAT?

Since time is of the essence, we will give you the mail elements that occur in this latest spear phishing campaign:

1. First, you can take a look below at an unwanted e-mail, obtained by our security analysts.

2. As you can see, the e-mail contains a link to Dropbox. If the target clicks the link, the file (camouflaged with an AutoCad icon) is downloaded on the system: “AutoCad-export.exe” (778752 bytes).

3. If the downloaded file is accessed, the data-stealing software can take the following actions:

• keylogging
• data harvest
• screen capturing
• microphone and webcam activation
• setting up an RDP session

4. The main components are copied in this folder:

C:Users[brugerkonto]AppDataRoamingMicrosoftSecuritywinsec.exe

5. To fool the victim, when executed the malware will launch a false error message:

6. At the same time, the following files are copied to the infected system:

C:DOCUME~1[Brugerprofil]LOCALS~1TempAutoCad-export.INI
C:DOCUME~1[Brugerprofil]LOCALS~1TempAutoCad-export.exe.config
C:DOCUME~1[Brugerprofil]LOCALS~1TempAutoCad-export.exe
C:nzlvnwssfdllyuESBS.dll

and additional changes take place in the registry:

HKEY_CLASSES_ROOTAppIDwinsec.exe
HKEY_CLASSES_ROOTAppIDAutoCad-export.exe

What about the Cryptor that hides the DarkComet RAT?

As we mentioned earlier, the main malicious code is hidden by a Cryptor that protects the content from antivirus detection. The main payload appears as “WebMatcher3.exe“.

This Cryptor can send and receive commands to:

• update
• enable remote administration
• send traffic to a web location
• launch a DDoS attack

You can find below all the commands from the remote administration tool:

BTRESULT PingRespond [OK] for the ping !
BTRESULT Update from URLUpdate : File Downloaded , Executing new one in temp dir…
BTRESULT UDP FloodUDP Flood task finished!
BTRESULT HTTP FloodHttp Flood task finished!
BTRESULT Visit URLfinished to visit 0000E18C 47e310 -> BTRESULT Open URL
BTRESULT Uninstalluninstall command receive, bye bye…
BTRESULT Run command
BTRESULT Close Serverclose command receive, bye bye…
BTRESULT Mass DownloadDownloading File…
BTRESULT Download FileMass Download : File Downloaded , Executing new one in temp dir…
BTRESULT Syn FloodSyn task finished!
BTRESULT PingRespond [OK] for the ping !
BTRESULT Update from URLUpdate : File Downloaded , Executing new one in temp dir…
BTRESULT UDP FloodUDP Flood task finished!
BTRESULT HTTP FloodHttp Flood task finished!
BTRESULT Visit URLfinished to visit 0002A4AC 47e310 -> BTRESULT Open URL
BTRESULT Uninstalluninstall command receive, bye bye…
BTRESULT Run command
BTRESULT Close Serverclose command receive, bye bye…
BTRESULT Mass DownloadDownloading File…
BTRESULT Download FileMass Download : File Downloaded , Executing new one in temp dir…
BTRESULT Syn FloodSyn task finished!

To complicate the antivirus detection and code analysis, a number of anti-debugging and VM checks have been added that, among other properties, can target VirtualBox: VBoxHook.dll, VBoxMiniRdrDN.

The main Command and Control servers are hosted in Canada at the following IP address: 107[.]191.46.220.

How can I keep my system protected from a phishing campaign that spreads the DarkComet RAT?

Our malware researchers recommend the following security measures to keep your computer safe from a phishing campaign:

• Make sure your security solution detects and blocks DarkComet RAT or use an extra layer of protection, like Heimdal™ Threat Prevention, a solution that protects users from phishing attempts that come even from legitimate websites and detects advanced malware threats. As you can see from the Virus Total malware analysis, there is limited antivirus detection (only 8 of 57 security solutions detect this threat).
• Keep your operating system and your vulnerable software up-to-date with the latest security patches. DarkComet RAT can be spread through exploit kits.
• Create a Backup for your operating system or for your most important data. Make sure the backup is not placed in the same location with your actual operating system. In case your system is affected by DarkComet RAT, you can remove everything and recover your valuable files from the backup.

To provide the best defense against the major threats in the online environment, we will continue to monitor this threat.

If you liked this post, you will enjoy our newsletter.

Get cybersecurity updates you'll actually want to read directly in your inbox.

I agree to have the submitted data processed by Heimdal Security according to the Privacy Policy

This post was originally published by Aurelian Neagu in March 2015.