S0334 DarkComet
DarkComet is a Windows remote administration tool and backdoor.12
| Item | Value |
|---|---|
| ID | S0334 |
| Associated Names | DarkKomet, Fynloski, Krademok, FYNLOS |
| Type | MALWARE |
| Version | 1.1 |
| Created | 29 January 2019 |
| Last Modified | 28 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| DarkKomet | 1 |
| Fynloski | 1 |
| Krademok | 1 |
| FYNLOS | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | DarkComet can use HTTP for C2 communications.2 |
| enterprise | T1123 | Audio Capture | DarkComet can listen in to victims’ conversations through the system’s microphone.12 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | DarkComet adds several Registry entries to enable automatic execution at every system startup.12 |
| enterprise | T1115 | Clipboard Data | DarkComet can steal data from the clipboard.2 |
| enterprise | T1059 | Command and Scripting Interpreter | DarkComet can execute various types of scripts on the victim’s machine.2 |
| enterprise | T1059.003 | Windows Command Shell | DarkComet can launch a remote shell to execute commands on the victim’s machine.2 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | DarkComet can disable Security Center functions like anti-virus.12 |
| enterprise | T1562.004 | Disable or Modify System Firewall | DarkComet can disable Security Center functions like the Windows Firewall.12 |
| enterprise | T1105 | Ingress Tool Transfer | DarkComet can load any files onto the infected machine to execute.12 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | DarkComet has a keylogging capability.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | DarkComet has dropped itself onto victim machines with file names such as WinDefender.Exe and winupdate.exe in an apparent attempt to masquerade as a legitimate file.1 |
| enterprise | T1112 | Modify Registry | DarkComet adds a Registry value for its installation routine to the Registry Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System Enable LUA=”0” and HKEY_CURRENT_USER\Software\DC3_FEXEC.12 |
| enterprise | T1027 | Obfuscated Files or Information | - |
| enterprise | T1027.002 | Software Packing | DarkComet has the option to compress its payload using UPX or MPRESS.2 |
| enterprise | T1057 | Process Discovery | DarkComet can list active processes running on the victim’s machine.2 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.001 | Remote Desktop Protocol | DarkComet can open an active screen of the victim’s machine and take control of the mouse and keyboard.2 |
| enterprise | T1082 | System Information Discovery | DarkComet can collect the computer name, RAM used, and operating system version from the victim’s machine.12 |
| enterprise | T1033 | System Owner/User Discovery | DarkComet gathers the username from the victim’s machine.1 |
| enterprise | T1125 | Video Capture | DarkComet can access the victim’s webcam to take pictures.12 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0134 | Transparent Tribe | 3 |
| G0083 | SilverTerrier | 4 |
| G0082 | APT38 | 5 |
References
-
TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Falcone, R. and Conant S. (2016, March 25). ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe. Retrieved September 2, 2021. ↩
-
Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018. ↩
-
FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018. ↩