DarkComet RAT used to control infected computers

May 29, 2015 09:21 GMT  ·  By

A large malicious campaign affecting small- and medium-sized businesses in different countries proves to be successful despite relying on malware that does not make any effort to cover its tracks.

Researchers at Kaspersky dubbed it Grabit and their analysis found that cybercriminals managed to infiltrate businesses in Thailand, India, the US, UAE, Germany, Israel, Canada, France, Austria, Sri Lanka, Chile and Belgium.

The compromised organizations are from a wide range of sectors, chemicals, nanotechnology, education, agriculture, media, construction being some of them.

C&C holds data from thousands of compromised hosts

Although the activity of the malware on an infected machine is easily observable, the cache of files exfiltrated is impressive. Researchers say that about 10,000 files were taken from SMB organizations mainly from Thailand, India and the US.

Kaspersky found that the threat actor collects the information with a commercial keylogger called HawkEye (developed by HawkEye Products), along with a configuration module with several remote administration tools (RATs) to control the infected system.

Ido Naor, senior security researcher at Kaspersky’s Global Research and Analysis Team, said that among the RATs identified there is the infamous DarkComet.

On one of the C&C servers the researchers found 2,887 passwords, 1,053 emails, and 3,023 usernames from almost 5,000 different hosts. The data was associated with Outlook, Facebook, Skype, Google mail, Pinterest, Yahoo, LinkedIn and Twitter, as well as bank accounts.

Grabit group launched campaign in late February

Grabit communicates with its command and control (C&C) server over random ports via an unencrypted channel (HTTP), which allows a clear view of the traffic. The stolen data is packed and encrypted, says Naor.

However, since traffic is in plain text, intercepting it revealed the credentials for the FTP/SMTP servers that received the stolen data.

Kaspersky determined that the campaign started in late February and ended in mid-March. Every sample they caught varied in size and activity from the others, the smallest one being 0.52MB and the largest weighing 1.57MB, suggesting that the threat actor experimented with features, packers and integration of “dead code” designed to make binary analysis more difficult.

Based on their findings, the researchers believe that those behind Grabit did not write all the code themselves and that the group has more technical members than others, focusing on making the malware untraceable.

The threat arrives on the victim’s computer via an email attachment under the form of a Microsoft Word document laced with a malicious macro that transfers the keylogger from a compromised server.

One indicator of compromise is the presence in the startup programs list of a process containing “grabit” in its name. Also, if the location “C:\Users\ \AppData\Roaming\Microsoft” stores an executable file the system may be infected.