ATT&CKcon 5.0 returns October 22-23, 2024 in McLean, VA. Register for in-person participation here. Stay tuned for virtual registration!

DarkComet

DarkComet is a Windows remote administration tool and backdoor.^[1]^[2]

ID: S0334

ⓘ

Associated Software: DarkKomet, Fynloski, Krademok, FYNLOS

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 29 January 2019

Last Modified: 28 March 2020

Associated Software Descriptions

Name	Description
DarkKomet	^[1]
Fynloski	^[1]
Krademok	^[1]
FYNLOS	^[1]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	DarkComet can use HTTP for C2 communications.^[2]
Enterprise	T1123		Audio Capture	DarkComet can listen in to victims' conversations through the system’s microphone.^[1]^[2]
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	DarkComet adds several Registry entries to enable automatic execution at every system startup.^[1]^[2]
Enterprise	T1115		Clipboard Data	DarkComet can steal data from the clipboard.^[2]
Enterprise	T1059		Command and Scripting Interpreter	DarkComet can execute various types of scripts on the victim’s machine.^[2]
		.003	Windows Command Shell	DarkComet can launch a remote shell to execute commands on the victim’s machine.^[2]
Enterprise	T1562	.001	Impair Defenses: Disable or Modify Tools	DarkComet can disable Security Center functions like anti-virus.^[1]^[2]
		.004	Impair Defenses: Disable or Modify System Firewall	DarkComet can disable Security Center functions like the Windows Firewall.^[1]^[2]
Enterprise	T1105		Ingress Tool Transfer	DarkComet can load any files onto the infected machine to execute.^[1]^[2]
Enterprise	T1056	.001	Input Capture: Keylogging	DarkComet has a keylogging capability.^[1]
Enterprise	T1036	.005	Masquerading: Match Legitimate Name or Location	DarkComet has dropped itself onto victim machines with file names such as WinDefender.Exe and winupdate.exe in an apparent attempt to masquerade as a legitimate file.^[1]
Enterprise	T1112		Modify Registry	DarkComet adds a Registry value for its installation routine to the Registry Key `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System Enable LUA="0"` and `HKEY_CURRENT_USER\Software\DC3_FEXEC`.^[1]^[2]
Enterprise	T1027	.002	Obfuscated Files or Information: Software Packing	DarkComet has the option to compress its payload using UPX or MPRESS.^[2]
Enterprise	T1057		Process Discovery	DarkComet can list active processes running on the victim’s machine.^[2]
Enterprise	T1021	.001	Remote Services: Remote Desktop Protocol	DarkComet can open an active screen of the victim’s machine and take control of the mouse and keyboard.^[2]
Enterprise	T1082		System Information Discovery	DarkComet can collect the computer name, RAM used, and operating system version from the victim’s machine.^[1]^[2]
Enterprise	T1033		System Owner/User Discovery	DarkComet gathers the username from the victim’s machine.^[1]
Enterprise	T1125		Video Capture	DarkComet can access the victim’s webcam to take pictures.^[1]^[2]

Groups That Use This Software

ID	Name	References
G0134	Transparent Tribe	^[3]
G0083	SilverTerrier	^[4]
G0082	APT38	^[5]

References

TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
Falcone, R. and Conant S. (2016, March 25). ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe. Retrieved September 2, 2021.