Threat Research

Who put the “Dark” in DarkVNC?

Securonix

Brad Duncan surveys VNC-based malware activity over the years, tracing how what’s been labeled DarkVNC/HiddenVNC has evolved into broader malicious VNC use across multiple families and campaigns. The post concludes that the “Dark” label isn’t fixed, documenting beacon-like VNC traffic and data streams tied to IcedID, Qakbot, Trickbot, BazarLoader, and other infections, and noting the shift in traffic patterns over time.
#DarkVNC #HiddenVNC #VNC #IcedID #Qakbot #Trickbot #BazarLoader #ETPRO #BackConnect

Keypoints

  • VirusTotal flagged early DarkVNC samples; the first DarkVNC-flagged sample was submitted on 2013-04-03 (creation date 2012-12-24).
  • A 2017 Terror Exploit Kit infection included a DarkVNC sample that generated traffic to 85.17.29.102:443 and triggered an alert for ETPRO TROJAN W32/DarkVNC Checkin.
  • Mid‑2021, a VNC beacon/variant (possibly HiddenVNC) appeared at 172.241.27.226:443, with related social media chatter about DarkVNC vs HiddenVNC.
  • Recent VNC activity appears as follow-up traffic from IcedID and Qakbot infections, with patterns such as two TCP streams (beacon + data) and data streams containing VNC-related content.
  • Older Qakbot VNC traffic sometimes showed three streams (two beaconing, one data) and strings including infected hostnames and Windows user names.
  • Over time, VNC traffic from IcedID and Qakbot has converged toward patterns that resemble earlier IcedID BackConnect traffic, suggesting protocol sharing or adoption.
  • Conclusion: the article stops calling it DarkVNC and refers to it as VNC or malicious VNC, emphasizing changing traffic patterns and naming inconsistencies.

MITRE Techniques

  • [T1021.005] Remote Services: VNC – VNC is used for full remote control, including screen sharing and keyboard/mouse control, demonstrated by beacons and data streams in the VNC traffic. Quote: “The second TCP stream for VNC traffic contains much more data, most of it encoded or encrypted, likely related to the screen sharing and keyboard/mouse control used in VNC activity.”
  • [T1071.001] Web Protocols – C2 traffic observed on common web ports (e.g., 443) as a channel for VNC-based beacons and data streams. Quote: “traffic to 85.17.29.102:443” and references to port 443 in multiple samples with VNC beacons.
  • [T1027] Obfuscated/Encrypted Data – Portions of the VNC data streams are encoded or encrypted, suggesting attempts to conceal VNC traffic. Quote: “most of it encoded or encrypted.”

Indicators of Compromise

  • [IP Addresses] context – 85.17.29.102, 172.241.27.226, and other VNC C2 hosts observed in various campaigns (examples drawn from the article).

Read more: https://isc.sans.edu/diary/rss/29210

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint