DarkComet
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| DarkKomet | (Citation: TrendMicro DarkComet Sept 2014) |
| Fynloski | (Citation: TrendMicro DarkComet Sept 2014) |
| Krademok | (Citation: TrendMicro DarkComet Sept 2014) |
| FYNLOS | (Citation: TrendMicro DarkComet Sept 2014) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
DarkComet can use HTTP for C2 communications.(Citation: Malwarebytes DarkComet March 2018) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
DarkComet adds several Registry entries to enable automatic execution at every system startup.(Citation: TrendMicro DarkComet Sept 2014)(Citation: Malwarebytes DarkComet March 2018) |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
DarkComet can launch a remote shell to execute commands on the victim’s machine.(Citation: Malwarebytes DarkComet March 2018) |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
DarkComet can disable Security Center functions like anti-virus.(Citation: TrendMicro DarkComet Sept 2014)(Citation: Malwarebytes DarkComet March 2018) |
| .004 | Impair Defenses: Disable or Modify System Firewall |
DarkComet can disable Security Center functions like the Windows Firewall.(Citation: TrendMicro DarkComet Sept 2014)(Citation: Malwarebytes DarkComet March 2018) |
||
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
DarkComet has a keylogging capability.(Citation: TrendMicro DarkComet Sept 2014) |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
DarkComet has dropped itself onto victim machines with file names such as WinDefender.Exe and winupdate.exe in an apparent attempt to masquerade as a legitimate file.(Citation: TrendMicro DarkComet Sept 2014) |
| Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
DarkComet has the option to compress its payload using UPX or MPRESS.(Citation: Malwarebytes DarkComet March 2018) |
| Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
DarkComet can open an active screen of the victim’s machine and take control of the mouse and keyboard.(Citation: Malwarebytes DarkComet March 2018) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0134 | Transparent Tribe |
(Citation: Unit 42 ProjectM March 2016) |
| G0083 | SilverTerrier |
(Citation: Unit42 SilverTerrier 2018) |
| G0082 | APT38 |
(Citation: FireEye APT38 Oct 2018) |
References
- TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
- Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
- Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.
- FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
- Falcone, R. and Conant S. (2016, March 25). ProjectM: Link Found Between Pakistani Actor and Operation Transparent Tribe. Retrieved September 2, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.