DarkComet RAT Returns with New TTPS – Detection & Response

0

DarkComet is a Remote Access Trojan (RAT) application that may run in the background and silently collect information about the system, connected users, and network activity.


It may attempt to steal stored credentials, usernames and passwords, and other personal and confidential information. This information may be transmitted to a destination specified by the author. 

Also allows an attacker to install additional software to the infected machine, or may direct the infected machine to participate in a malicious botnet for the purposes of sending spam or other malicious activities.

Stages of Infection:

Stage 1: Darkcomet RAT disturbed via Phishing campaign or infected USB which contains the malicious JPG data hides malware.

Stage 2: Once image is opened with any image editor tools. Possible registry changes made HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and suspicious file added in the user directory , C:\Users\admin\Documents\MSDCSC\msdcsc.exe 

Stage 3: Malware opens the system CMD on the path C:\Windows\System32\cmd.exe and executes the command “C:\Windows\System32\cmd.exe” /k attrib “C:\Users\admin\AppData\Local\Temp\bruh.jpg.exe” +s +h

Also Read: Malspam with new Matanbuchus Loader – Detection & Response

Stage4: Malware calls system file Attrib.exe which is a Windows operating system file located in the C:\Windows\System32 folder. It allows you to display or change File Attributes. Options +s +h in command line used.

+s : Used to set the file attribute as a system file

+h : Used to make the file attribute as hidden not visible to the user

Stage5: Malware executes the File “msdcsc.exe “ at the system location C:\Users\admin\Documents\MSDCSC\ 

Stage6: Executed file msdcsc.exe provides Remote session of computer to the domain  6.tcp.eu[.]ngrok.io and IP 3[.]68.171.119

Also Read : Mapping MITRE ATT&CK with Window Event Log IDs

Indicator of Compromise:

File MD5: 2b8429fe562ee5c9f6d63b71ec5b22ce

Domain & IP : 6.tcp.eu[.]ngrok.io and IP 3[.]68.171.119

Detection & Response:

Qradar:

SELECT UTF8(payload) from events where LOGSOURCETYPENAME(devicetype)='Microsoft Windows Security Event Log' and ((("Filename" ilike '%\Users\admin\AppData\Local\Temp\%') or ("Filename" ilike '%.jpg.exe')) and (("Image" ilike '%\cmd.exe') and ("Process CommandLine" ilike '%/k attrib%' or "Process CommandLine" ilike '%+s%' or "Process CommandLine" ilike '%+h%')) and ("Image" ilike '%\attrib.exe') and ("Process CommandLine" ilike '%C:\Users\admin\AppData\Local\Temp%' or "Process CommandLine" ilike '%+s%' or "Process CommandLine" ilike '%+h%' or "Process CommandLine" ilike '%attrib%')) and (("Filename" ilike '%C:\Users\admin\Documents\MSDCSC\%') or ("Filename" ilike '%msdcsc.exe'))

Splunk:

((((FileName="*\\Users\\admin\\AppData\\Local\\Temp\\*") OR (FileName="*.jpg.exe")) AND ((Image="*\\cmd.exe") AND (CommandLine="*/k attrib*" OR CommandLine="*+s*" OR CommandLine="*+h*")) AND (Image="*\\attrib.exe") AND (CommandLine="*C:\\Users\\admin\\AppData\\Local\\Temp*" OR CommandLine="*+s*" OR CommandLine="*+h*" OR CommandLine="*attrib*")) AND ((FileName="*C:\\Users\\admin\\Documents\\MSDCSC\\*") OR (FileName="*msdcsc.exe"))) AND source="WinEventLog:*"

Elastic Query:

(((file.path:*\\Users\\admin\\AppData\\Local\\Temp\\* OR file.path:*.jpg.exe) AND (process.executable:*\\cmd.exe AND process.command_line:(*\/k\ attrib* OR *\+s* OR *\+h*)) AND process.executable:*\\attrib.exe AND process.command_line:(*C\:\\Users\\admin\\AppData\\Local\\Temp* OR *\+s* OR *\+h* OR *attrib*)) AND (file.path:*C\:\\Users\\admin\\Documents\\MSDCSC\\* OR file.path:*msdcsc.exe))

FireEye:

(metaclass:`windows` ((filename:`\Users\admin\AppData\Local\Temp\\` OR filename:`*.jpg.exe`) (process:`*\cmd.exe` args:[`/k attrib`,`+s`,`+h`]) process:`*\attrib.exe` args:[`C:\Users\admin\AppData\Local\Temp`,`+s`,`+h`,`attrib`]) (filename:`C:\Users\admin\Documents\MSDCSC\\` OR filename:`*msdcsc.exe`))

GrayLog:

(((FileName.keyword:*\\Users\\admin\\AppData\\Local\\Temp\\* OR FileName.keyword:*.jpg.exe) AND (Image.keyword:*\\cmd.exe AND CommandLine.keyword:(*\/k\ attrib* *\+s* *\+h*)) AND Image.keyword:*\\attrib.exe AND CommandLine.keyword:(*C\:\\Users\\admin\\AppData\\Local\\Temp* *\+s* *\+h* *attrib*)) AND (FileName.keyword:*C\:\\Users\\admin\\Documents\\MSDCSC\\* OR FileName.keyword:*msdcsc.exe))

Logpoint:

(((FileName IN "*\\Users\\admin\\AppData\\Local\\Temp\\*" OR FileName IN "*.jpg.exe") (Image IN "*\\cmd.exe" CommandLine IN ["*/k attrib*", "*+s*", "*+h*"]) Image IN "*\\attrib.exe" CommandLine IN ["*C:\\Users\\admin\\AppData\\Local\\Temp*", "*+s*", "*+h*", "*attrib*"]) (FileName IN "*C:\\Users\\admin\\Documents\\MSDCSC\\*" OR FileName IN "*msdcsc.exe"))

Microsoft Sentinel:

SecurityEvent | where ((((TargetFilename contains @'\Users\admin\AppData\Local\Temp\') or (TargetFilename endswith '.jpg.exe')) and ((NewProcessName endswith @'\cmd.exe') and (CommandLine contains '/k attrib' or CommandLine contains '+s' or CommandLine contains '+h')) and (NewProcessName endswith @'\attrib.exe') and (CommandLine contains @'C:\Users\admin\AppData\Local\Temp' or CommandLine contains '+s' or CommandLine contains '+h' or CommandLine contains 'attrib')) and ((TargetFilename contains @'C:\Users\admin\Documents\MSDCSC\') or (TargetFilename endswith 'msdcsc.exe')))

RSA Netwitness:

((((FileName contains '\Users\\admin\\AppData\\Local\\Temp\\\') || (FileName contains '.jpg\.exe')) && ((Image contains '\cmd\.exe') && (CommandLine contains '/k attrib', '+s', '+h')) && (Image contains '\attrib\.exe') && (CommandLine contains 'C:\\Users\\admin\\AppData\\Local\\Temp', '+s', '+h', 'attrib')) && ((FileName contains 'C:\\Users\\admin\\Documents\\MSDCSC\\\') || (FileName contains 'msdcsc\.exe')))

Sumo Logic:

(_sourceCategory=*windows* AND (((("\Users\admin\AppData\Local\Temp\\") OR (".jpg.exe"))) AND ((Image = "*\cmd.exe") AND (CommandLine = "*/k attrib*" OR CommandLine = "*+s*" OR CommandLine = "*+h*")) AND (Image = "*\attrib.exe") AND (CommandLine = "*C:\Users\admin\AppData\Local\Temp*" OR CommandLine = "*+s*" OR CommandLine = "*+h*" OR CommandLine = "*attrib*")) AND ((("C:\Users\admin\Documents\MSDCSC\\") OR ("msdcsc.exe"))))

Aws OpenSearch:

(((file.path:*\\Users\\admin\\AppData\\Local\\Temp\\* OR file.path:*.jpg.exe) AND (process.executable:*\\cmd.exe AND process.command_line:(*\/k\ attrib* OR *\+s* OR *\+h*)) AND process.executable:*\\attrib.exe AND process.command_line:(*C\:\\Users\\admin\\AppData\\Local\\Temp* OR *\+s* OR *\+h* OR *attrib*)) AND (file.path:*C\:\\Users\\admin\\Documents\\MSDCSC\\* OR file.path:*msdcsc.exe))


Previous articleQBot Spreads via LNK Files – Detection & Response
Next articleMasquerade Attack Part 2 – Suspicious Services and File Names
Balaganesh is a Incident Responder. Certified Ethical Hacker, Penetration Tester, Security blogger, Founder & Author of Soc Investigation.

LEAVE A REPLY

Please enter your comment!
Please enter your name here