Friday, February 24, 2012

DarkComet RAT Surfaced in the Targeted Attacks in Syrian Conflict

Via TrendMicro Malware Blog -

The Internet has played a significant role in the current conflict in Syria. The opposition has made increasing use of platforms such as Facebook to organize and spread their message. In response, supporters of the regime like the “Syrian Electronic Army” have sought to disrupt these activities by defacing websites and spamming Facebook pages. Recently, this conflict took on a new dimension with reports that suggested targeted malware attacks were being used against supporters of the Syrian opposition movement.

Dark Comet RAT Used as “Syrian Spyware”

The malware used in the attacks reportedly spreads through Skype chats. Once users execute the malware, it connects to a C&C (command and control) server in Syria at {BLOCKED}.{BLOCKED}.0.28, which belongs to an IP range assigned to the Syrian Telecommunications Establishment. While the malware has been described as “complex” and “invisible”, it turns out that it is the widely available Remote Access Trojan (RAT) known as Dark Comet.

In our analysis, which confirms an earlier investigation by Telecomix, we found that the samples connecting to {BLOCKED}.{BLOCKED}.0.28 are instances of the DarkComet RAT versions 3.3 and 5. However, some samples are “downloaders” that connect to this same IP address via HTTP and download a encrypted “Update.bin” file, which is then decrypted and executed. The payload is the actual DarkComet RAT.

DarkComet is a full featured RAT that has the ability to take pictures via webcam, listen in on conversations via a microphone attached to a PC, and gain full control of the infected machine. But the features attracting most people using this RAT are the keylogging and file transfer functionality. This way, an attacker can load any files onto the infected machine or even steal documents.

DarkComet is still being developed and version 5 was released last January 15. It is created by a coder using the handle DarkCoderSc and was first coded in 2008. Since the reports of its use in connection with events in Syria, the author of DarkComet has expressed regret and while he will continue developing the RAT, he plans to make a DarkComet detector/remover available to the Syrian people.


These developments illustrate that targeted attacks can be conducted with widely available DIY malware tools. These tools possess all the “complex” functionality attackers need to compromise their targets.

No comments:

Post a Comment