Threat Research

DarkComet RAT Returns with New TTPS – Detection & Response – Security Investigation

Securonix

DarkComet RAT has re-emerged with new TTPS-based detection and response coverage, highlighting its capabilities as a stealthy remote access Trojan that can spy on systems, steal credentials, and add infected machines to a botnet. The article outlines a multi-stage infection chain—from phishing or infected USB delivery to registry changes, hidden attributes, and a remote connection to an attacker-controlled ngrok domain. #DarkCometRAT #MSDCSC #ngrok

Keypoints

  • DarkComet RAT is a Remote Access Trojan that quietly collects system information, connected users, and network activity.
  • It may steal stored credentials and other confidential data and transmit it to an attacker-specified destination.
  • The malware can install additional software or enlist the infected machine into a botnet for malicious activities such as sending spam.
  • The infection unfolds in stages: Stage 1 uses phishing campaigns or infected USB drives; Stage 2 modifies the Run registry key; Stage 3 launches cmd.exe to run attrib on a hidden file; Stage 4 uses attrib to hide the file; Stage 5 executes msdcsc.exe; Stage 6 provides a remote session to an attacker-controlled domain/IP.
  • Indicator of Compromise includes a MD5 hash and network indicators: MD5 2b8429fe562ee5c9f6d63b71ec5b22ce, domain 6.tcp.eu.ngrok.io, and IP 3.68.171.119.
  • Detection and response coverage is detailed across several platforms (Qradar, Splunk, Elastic, FireEye, GrayLog, etc.) with sample queries to identify the behaviors.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – Stage 1 describes delivery via a Phishing campaign with a malicious JPG that hides malware. “Stage 1: Darkcomet RAT disturbed via Phishing campaign or infected USB which contains the malicious JPG data hides malware.”
  • [T1059.003] Command and Scripting Interpreter – Stage3 shows opening CMD and executing a command: “Malware opens the system CMD on the path C:WindowsSystem32cmd.exe and executes the command “C:WindowsSystem32cmd.exe” /k attrib “C:UsersadminAppDataLocalTempbruh.jpg.exe” +s +h”
  • [T1564.001] Hide Artifacts – Stage4 uses Attrib.exe to set +s and +h and hide the file: “Stage4: Malware calls system file Attrib.exe … Options +s +h in command line used.”
  • [T1112] Modify Registry – Stage2 notes possible registry changes at HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun to run on startup.
  • [T1021] Remote Services – Stage6 executes a remote session to the domain 6.tcp.eu.ngrok.io and IP 3.68.171.119: “Executed file msdcsc.exe provides Remote session of computer to the domain 6.tcp.eu[.]ngrok.io and IP 3[.]68.171.119”

Indicators of Compromise

  • [MD5] 2b8429fe562ee5c9f6d63b71ec5b22ce – File hash mentioned as an indicator of the DarkComet RAT sample.
  • [Domain] 6.tcp.eu.ngrok.io – Domain used for remote session/C2 traffic.
  • [IP] 3.68.171.119 – IP address associated with the attacker-controlled domain.
  • [File path] C:UsersadminAppDataLocalTempbruh.jpg.exe – Suspicious temporary file referenced in Stage1 activity.
  • [File path] C:UsersadminDocumentsMSDCSCmsdcsc.exe – Executable path mentioned in Stage5/Stage6 activities.

Read more: https://www.socinvestigation.com/darkcomet-rat-returns-with-new-ttps-detection-response/