Researchers from Arbor Networks have analyzed a number of campaigns that relied on the now-infamous DarkComet Remote Access Trojan (RAT). As it turns out, the tool hasn’t been utilized only in attacks against Syrian activists.
After seeing that his creation is used for all sorts of malicious purposes, DarkComet’s developer decided to pull the plug on the project.
In the meantime, experts have dissected the operations that depended on it, trying to determine the attackers’ goals and their motives.
“Dark Comet is very popular RAT and is actively developed and widely used. It can be difficult to determine the motive of the attacker, however sometimes there are enough traces left over that can help us piece together the potential goals of a campaign,” Curt Wilson of Arbor Networks explained
“RAT infections can be very serious, requiring an in-depth investigation to determine the goals of the attacker and the level of risk posed.”
The security firm has over 4,000 samples of the RAT. However, they’ve managed to identify the more interesting campaigns by analyzing the command and control (C&C) servers, passwords and server IDs used by them.
The first campaign that appears to be more interesting is one in which DarkCommet used “Boeing747!@#Legacy123” as a password. The C&C server’s IP address pointed to an area in South Africa where two Air Force bases are located.
While they couldn’t determine the motives, the researchers believe that the bases may have something to do with the attack.
In another campaign, the RAT was possibly used by someone to redirect .gov sites. Hostfiles on infected machines revealed strings such as “www.security.gov: 184.108.40.206” and “www.searchanddestroy.gov: 220.127.116.11.”
The domains are bogus, but the scenario shows that the cybercriminals were simulating man-in-the-middle attacks and redirects.
Runescape and other gaming communities have also been targeted in operations that leveraged this particular tool.
Other samples of DarkComet revealed that some attackers attempt to use some clever methods to avoid detection.