Softpedia
 
HomepageWindowsGamesDriversMacLinuxScripts buttonMobileHandheldNews

NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
TRENDING TODAY
Home > News > Security > Spyware Threats

July 12th, 2012, 14:57 GMT · By

DarkComet RAT Used to Target Gamers, Military and Governments, Experts Find

SHARE:

Adjust text size:

DarkComet RAT was used in numerous attacks, experts find
Enlarge picture
Researchers from Arbor Networks have analyzed a number of campaigns that relied on the now-infamous DarkComet Remote Access Trojan (RAT). As it turns out, the tool hasn’t been utilized only in attacks against Syrian activists.

After seeing that his creation is used for all sorts of malicious purposes, DarkComet’s developer decided to pull the plug on the project. In the meantime, experts have dissected the operations that depended on it, trying to determine the attackers’ goals and their motives.

“Dark Comet is very popular RAT and is actively developed and widely used. It can be difficult to determine the motive of the attacker, however sometimes there are enough traces left over that can help us piece together the potential goals of a campaign,” Curt Wilson of Arbor Networks explained.

“RAT infections can be very serious, requiring an in-depth investigation to determine the goals of the attacker and the level of risk posed.”

The security firm has over 4,000 samples of the RAT. However, they’ve managed to identify the more interesting campaigns by analyzing the command and control (C&C) servers, passwords and server IDs used by them.

The first campaign that appears to be more interesting is one in which DarkCommet used “Boeing747!@#Legacy123” as a password. The C&C server’s IP address pointed to an area in South Africa where two Air Force bases are located.

While they couldn’t determine the motives, the researchers believe that the bases may have something to do with the attack.

In another campaign, the RAT was possibly used by someone to redirect .gov sites. Hostfiles on infected machines revealed strings such as “www.security.gov: 74.208.130.89”  and “www.searchanddestroy.gov: 74.208.130.89.”

The domains are bogus, but the scenario shows that the cybercriminals were simulating man-in-the-middle attacks and redirects.

Runescape and other gaming communities have also been targeted in operations that leveraged this particular tool.

Other samples of DarkComet revealed that some attackers attempt to use some clever methods to avoid detection.


3,279 hits
Link to this article · Print article · Send to friend

MUST-READ RELATED ARTICLES:


DarkComet RAT Author Terminates Project Because of the Misuse of the Tool
Australian Federal Police Tells 6 Youths to Stop Hacking
BlackShades RAT Used to Spy on Syrian Activists
AVG Detects JavaScript Obfuscation on Panasonic Australia Blog (Updated)
S3rver.exe Claims Hack on Host Gator (Updated)

READER COMMENTS:



No user comments yet.
Be the first to express your opinion!
Copyright © 2001-2013 Softpedia. Contact/Tip us at

WindowsGamesDriversMacLinuxScriptsMobileHandheldNews

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   UPDATE YOUR SOFTWARE   |   ROMANIAN FORUM
© 2001 - 2013 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are
registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use