Use of remote access tools (RATs) is a tried and true cyber espionage tool favored by a diverse group of threat actors. They have been used to enable many of the recent, high profile breaches including OPM, Premera, and Anthem. While some threat actors have moved on to utilize newer or custom-made RATs when that’s what it takes to break through the front door, DarkComet continues to be effective against a wide range of targets. Created in 2008 as a Delphi-coded RAT and discontinued by its developer, DarkComet is still active and continues to be observed in the wild. Considered to be the Swiss army knife of RATs, it is popular because it is easy to use, it works and it is reliable.
DarkComet has a rich toolset of features. It offers several capabilities to engage in surreptitious surveillance activity. It contains a password-stealing keylogger, video and audio record capability that has been known to obtain critical IT information such as: language and country details, operating system identification, computer/user name, administrator rights, RAM used, and webcam data. DarkComet is also user-friendly with an easily navigable graphical user interface and “Fun Manager” control panel that offers a plethora of capabilities.
DarkComet gained notoriety for its use by the Syrian regime to monitor dissident activity. This incident served as the catalyst for DarkComet’s author to end his involvement with the tool. Since then, the tool has been associated with other cyber espionage activities including a campaign of Indian origin between 2010 and 2013.
Most recently, the tool was linked to suspected pro-Syrian regime surveillance using a combination of female lures and a customized DarkComet variant against targets. It was also used in connection with the terrorist attack against the French satirical newspaper Charlie Hebdo via the exploit using hashtag #JeSuisCharlie. Nigerian 419 actors also leveraged DarkComet and spearphishing activities to execute malicious targeted attacks. Check out our Phishing in Plain Sight Threat Advisory to learn more.
Script kiddies have taken advantage of this feature-rich tool as well. News sources continue to report on incidents where emerging attackers are deploying DarkComet to compromise a target’s webcam to spy on their victims.
DarkComet’s sustainability is a testament to its ongoing success in gaining access and retrieving valuable data from compromised systems. Advanced threat actors have leveraged DarkComet to deliver other malware once they have secured access to a compromised system.
Sophisticated RATs, even variants of DarkComet, will evolve with new attack vectors. Recent reports have found RATs infiltrating supervisory control and data acquisition systems in critical infrastructure. The ability to surreptitiously control compromised systems and to have the clandestine means to deploy even more destructive malware, is staggering.
To better understand DarkComet, see our Fidelis Threat Advisory #1018 entitled “Looking at the Sky for a DarkComet."