DarkComet (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.darkcomet (Back to overview)

DarkComet

aka: Breut, Fynloski, klovbot

Actor(s): APT33, Lazarus Group, Operation C-Major

VTCollection URLhaus

DarkComet is one of the most famous RATs, developed by Jean-Pierre Lesueur in 2008. After being used in the Syrian civil war in 2011, Lesuer decided to stop developing the trojan. Indeed, DarkComet is able to enable control over a compromised system through use of a simple graphic user interface. Experts think that this user friendliness is the key of its mass success.

References

2024-10-23 ⋅ ANY.RUN ⋅ ANY.RUN, Mostafa ElSheimy
DarkComet RAT: Technical Analysis of Attack Chain
DarkComet

2023-02-23 ⋅ Bitdefender ⋅ Bitdefender Team, Martin Zugec
Technical Advisory: Various Threat Actors Targeting ManageEngine Exploit CVE-2022-47966
Cobalt Strike DarkComet QuiteRAT RATel

2022-08-12 ⋅ Brandefense ⋅ Brandefense
Mythic Leopard APT Group
Crimson RAT DarkComet NjRAT Oblique RAT Peppy RAT

2022-06-21 ⋅ Cisco Talos ⋅ Chris Neal, Flavio Costa, Guilherme Venere
Avos ransomware group expands with new attack arsenal
AvosLocker Cobalt Strike DarkComet MimiKatz

2022-04-26 ⋅ Trend Micro ⋅ Lord Alfred Remorin, Ryan Flores, Stephen Hilt
How Cybercriminals Abuse Cloud Tunneling Services
AsyncRAT Cobalt Strike DarkComet Meterpreter Nanocore RAT

2022-02-11 ⋅ Cisco Talos ⋅ Talos
Threat Roundup for February 4 to February 11
DarkComet Ghost RAT Loki Password Stealer (PWS) Tinba Tofsee Zeus

2022-02-09 ⋅ SentinelOne ⋅ Juan Andrés Guerrero-Saade, Tom Hegel
Modified Elephant APT and a Decade of Fabricating Evidence
DarkComet Incubator NetWire RC

2022-02-09 ⋅ Sentinel LABS ⋅ Tom Hegel
ModifiedElephant APT and a Decade of Fabricating Evidence
DarkComet Incubator NetWire RC ModifiedElephant

2021-11-10 ⋅ ⋅ AhnLab ⋅ ASEC Analysis Team
Analysis Report of Lazarus Group’s NukeSped Malware
DarkComet Tiger RAT

2021-02-25 ⋅ Intezer ⋅ Intezer
Year of the Gopher A 2020 Go Malware Round-Up
NiuB WellMail elf.wellmess ArdaMax AsyncRAT CyberGate DarkComet Glupteba Nanocore RAT Nefilim NjRAT Quasar RAT WellMess Zebrocy

2021-01-09 ⋅ Marco Ramilli's Blog ⋅ Marco Ramilli
Command and Control Traffic Patterns
ostap LaZagne Agent Tesla Azorult Buer Cobalt Strike DanaBot DarkComet Dridex Emotet Formbook IcedID ISFB NetWire RC PlugX Quasar RAT SmokeLoader TrickBot

2020-08-01 ⋅ ⋅ TG Soft ⋅ TG Soft
TG Soft Cyber - Threat Report
DarkComet Darktrack RAT Emotet ISFB

2020-01-26 ⋅ Brown Farinholt, Damon McCoy, Kirill Levchenko, Mohammad Rezaeirad
Dark Matter: Uncovering the DarkComet RAT Ecosystem
DarkComet

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
COPPER FIELDSTONE
Crimson RAT DarkComet Luminosity RAT NjRAT Operation C-Major

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
ALUMINUM SARATOGA
BlackShades DarkComet Xtreme RAT Poison Ivy Quasar RAT Molerats

2019-03-27 ⋅ Symantec ⋅ Critical Attack Discovery and Intelligence Team
Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet MimiKatz Nanocore RAT NetWire RC pupy Quasar RAT Remcos StoneDrill TURNEDUP APT33

2019-03-27 ⋅ Symantec ⋅ Security Response Attack Investigation Team
Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.
DarkComet Nanocore RAT pupy Quasar RAT Remcos TURNEDUP APT33

2018-01-01 ⋅ FireEye ⋅ FireEye
APT38
Bitsran BLINDTOAD BOOTWRECK Contopee DarkComet DYEPACK HOTWAX NESTEGG PowerRatankba REDSHAWL WORMHOLE Lazarus Group

2016-06-03 ⋅ FireEye ⋅ Sudeep Singh, Yin Hong Chang
APT Group Sends Spear Phishing Emails to Indian Government Officials
BreachRAT DarkComet Operation C-Major

2012-10-05 ⋅ Malwarebytes ⋅ Adam Kujawa
Dark Comet 2: Electric Boogaloo
DarkComet

2012-06-21 ⋅ Contagio Dump ⋅ Mila Parkour
RAT samples from Syrian Targeted attacks - Blackshades RAT, XTreme RAT, Dark Comet RAT used by Syrian Electronic Army
BlackShades DarkComet Terminator RAT

2012-06-09 ⋅ Malwarebytes ⋅ Adam Kujawa
You dirty RAT! Part 1: DarkComet
DarkComet

Yara Rules

[TLP:WHITE] win_darkcomet_auto (20201014 | autogenerated rule brought to you by yara-signator)

rule win_darkcomet_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcomet"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 648920 8b45ec c6404801 33d2 55 68???????? 64ff32 }
            // n = 7, score = 200
            //   648920               | mov                 dword ptr fs:[eax], esp
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   c6404801             | mov                 byte ptr [eax + 0x48], 1
            //   33d2                 | xor                 edx, edx
            //   55                   | push                ebp
            //   68????????           |                     
            //   64ff32               | push                dword ptr fs:[edx]

        $sequence_1 = { 837f4800 0f858c030000 6a00 6a01 6a02 e8???????? 8945fc }
            // n = 7, score = 200
            //   837f4800             | cmp                 dword ptr [edi + 0x48], 0
            //   0f858c030000         | jne                 0x392
            //   6a00                 | push                0
            //   6a01                 | push                1
            //   6a02                 | push                2
            //   e8????????           |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax

        $sequence_2 = { 8d45ec ba???????? e8???????? 837de800 750d 8d45e8 ba???????? }
            // n = 7, score = 200
            //   8d45ec               | lea                 eax, [ebp - 0x14]
            //   ba????????           |                     
            //   e8????????           |                     
            //   837de800             | cmp                 dword ptr [ebp - 0x18], 0
            //   750d                 | jne                 0xf
            //   8d45e8               | lea                 eax, [ebp - 0x18]
            //   ba????????           |                     

        $sequence_3 = { 888543feffff 8b55f4 b8???????? e8???????? 8bc8 8d45f4 ba01000000 }
            // n = 7, score = 200
            //   888543feffff         | mov                 byte ptr [ebp - 0x1bd], al
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   b8????????           |                     
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   ba01000000           | mov                 edx, 1

        $sequence_4 = { ff30 8d8dc4feffff 8bd6 8b45e8 8b38 ff570c }
            // n = 6, score = 200
            //   ff30                 | push                dword ptr [eax]
            //   8d8dc4feffff         | lea                 ecx, [ebp - 0x13c]
            //   8bd6                 | mov                 edx, esi
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   8b38                 | mov                 edi, dword ptr [eax]
            //   ff570c               | call                dword ptr [edi + 0xc]

        $sequence_5 = { 33c0 55 68???????? 64ff30 648920 8b4644 85c0 }
            // n = 7, score = 200
            //   33c0                 | xor                 eax, eax
            //   55                   | push                ebp
            //   68????????           |                     
            //   64ff30               | push                dword ptr fs:[eax]
            //   648920               | mov                 dword ptr fs:[eax], esp
            //   8b4644               | mov                 eax, dword ptr [esi + 0x44]
            //   85c0                 | test                eax, eax

        $sequence_6 = { 8b45f8 ba???????? e8???????? 7509 b001 e8???????? eb07 }
            // n = 7, score = 200
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   ba????????           |                     
            //   e8????????           |                     
            //   7509                 | jne                 0xb
            //   b001                 | mov                 al, 1
            //   e8????????           |                     
            //   eb07                 | jmp                 9

        $sequence_7 = { 6a00 56 8d4340 50 8d45f0 50 e8???????? }
            // n = 7, score = 200
            //   6a00                 | push                0
            //   56                   | push                esi
            //   8d4340               | lea                 eax, [ebx + 0x40]
            //   50                   | push                eax
            //   8d45f0               | lea                 eax, [ebp - 0x10]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_8 = { 8d45f8 b90d000000 ba01000000 e8???????? 8d45f4 8b55f8 e8???????? }
            // n = 7, score = 200
            //   8d45f8               | lea                 eax, [ebp - 8]
            //   b90d000000           | mov                 ecx, 0xd
            //   ba01000000           | mov                 edx, 1
            //   e8????????           |                     
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   e8????????           |                     

        $sequence_9 = { ba???????? e8???????? 8b9594f9ffff 33c0 e8???????? 68???????? 8d8590f9ffff }
            // n = 7, score = 200
            //   ba????????           |                     
            //   e8????????           |                     
            //   8b9594f9ffff         | mov                 edx, dword ptr [ebp - 0x66c]
            //   33c0                 | xor                 eax, eax
            //   e8????????           |                     
            //   68????????           |                     
            //   8d8590f9ffff         | lea                 eax, [ebp - 0x670]

    condition:
        7 of them and filesize < 1499136
}

Download all Yara Rules

DarkComet Propose Change

References

Yara Rules

DarkComet