Skip to content

S0334 DarkComet

DarkComet is a Windows remote administration tool and backdoor.12

Item Value
ID S0334
Associated Names DarkKomet, Fynloski, Krademok, FYNLOS
Version 1.1
Created 29 January 2019
Last Modified 28 March 2020
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
DarkKomet 1
Fynloski 1
Krademok 1

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols DarkComet can use HTTP for C2 communications.2
enterprise T1123 Audio Capture DarkComet can listen in to victims’ conversations through the system’s microphone.12
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder DarkComet adds several Registry entries to enable automatic execution at every system startup.12
enterprise T1115 Clipboard Data DarkComet can steal data from the clipboard.2
enterprise T1059 Command and Scripting Interpreter DarkComet can execute various types of scripts on the victim’s machine.2
enterprise T1059.003 Windows Command Shell DarkComet can launch a remote shell to execute commands on the victim’s machine.2
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools DarkComet can disable Security Center functions like anti-virus.12
enterprise T1562.004 Disable or Modify System Firewall DarkComet can disable Security Center functions like the Windows Firewall.12
enterprise T1105 Ingress Tool Transfer DarkComet can load any files onto the infected machine to execute.12
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging DarkComet has a keylogging capability.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location DarkComet has dropped itself onto victim machines with file names such as WinDefender.Exe and winupdate.exe in an apparent attempt to masquerade as a legitimate file.1
enterprise T1112 Modify Registry DarkComet adds a Registry value for its installation routine to the Registry Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System Enable LUA=”0” and HKEY_CURRENT_USER\Software\DC3_FEXEC.12
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.002 Software Packing DarkComet has the option to compress its payload using UPX or MPRESS.2
enterprise T1057 Process Discovery DarkComet can list active processes running on the victim’s machine.2
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol DarkComet can open an active screen of the victim’s machine and take control of the mouse and keyboard.2
enterprise T1082 System Information Discovery DarkComet can collect the computer name, RAM used, and operating system version from the victim’s machine.12
enterprise T1033 System Owner/User Discovery DarkComet gathers the username from the victim’s machine.1
enterprise T1125 Video Capture DarkComet can access the victim’s webcam to take pictures.12

Groups That Use This Software

ID Name References
G0134 Transparent Tribe 3
G0083 SilverTerrier 4
G0082 APT38 5