Fidelis Threat Advisory #1018
Looking at the Sky for a DarkComet
First created in 2008, DarkComet is an efficient function-rich remote access tool (RAT) that has been leveraged against various targets. DarkComet’s author immediately stopped offering the tool in 2012, after its use against Syrian dissidents who supported Syrian President Assad’s regime. The latest version of the tool (5.4.1 Legacy), which does not include a server builder, was also discontinued.
The remarkable aspect of DarkComet is the amount of features that it offers via its “Fun Manager” control panel. The tool provides complete control over a victimized computer, which is why it remains a popular choice among diverse hostile actors; script kiddies, cyber criminals, and cyber espionage groups. As a result, we expect to see continued use of DarkComet as a cyber weapon against targets.
- Despite no longer being supported by its author, DarkComet remains active in the wild. We expect lesser skilled actors to use DarkComet directly. More advanced actors will use the tool in a support capacity after committing an initial intrusion.
- Since there is a broad coverage for variants of this RAT, we have provided a more extensive set of detection techniques to address the breadth of the DarkComet variations [See Appendix A].
- DarkComet’s feature-rich tool sets make it an attractive RAT for hostile actors seeking to gain unauthorized access into target systems and enabling complete control of the victim’s computing environment. This paper provides a comprehensive overview of the feature set and operation of DarkComet [See Appendix B].
- Adversaries using default configurations are vulnerable to detection via Internet scans. We have conducted such scans and created a global heat map [See Graph 3]. The complete set of discovered controllers is also available [See Appendix C].
- It is possible to extract configuration information for samples that are available in malware sharing repositories. We have made available a subset of configurations in our possession that can be operationalized by enterprise defenders [See Appendix D].
To see the full report and findings, visit Fidelis Threat Advisory #1018.