Threat Research

Technical Analysis of DarkVNC

Securonix

DarkVNC is a stealthy VNC-based payload linked to threats like IcedID, with past associations to StellarInjector and SolarMarker infections. The article details how the malware creates hidden desktop sessions, performs privilege escalation and input/output manipulation, communicates with a C2 server, and parses browser environments to aid persistence and evasion. hashtags: #DarkVNC #IcedID

Keypoints

  • DarkVNC is a hidden VNC-based utility designed for covert remote control, with historical usage by threat actors connected to IcedID.
  • The payload exports functionality via vncdll64.dll and can create a concealed user desktop session by launching explorer.exe within a hidden desktop context.
  • It generates a unique 8-character ID from system tick counts and uses a mutex-like workflow to coordinate activity.
  • The malware sends collected data to a C2 server, including computer name, username, volume information, and a unique ID.
  • It enumerates and manipulates Windows desktop windows (Progman, SHELLDLL_DefView, SysListView32) to facilitate remote control visibility and operation.
  • Token impersonation and process injection are used to acquire higher-privilege contexts (e.g., duplicating explorer.exe tokens to create new processes).
  • The sample includes browser-focused checks and prompts, enabling browser profile management and Chrome/Firefox environment interactions to aid persistence and evasion.

MITRE Techniques

  • [T1189] Drive-by Compromise – Initial access via drive-by compromise. Quote: ‘Drive-by Compromise’
  • [T1204.002] Malicious File – Execution via malicious files. Quote: ‘Malicious File’
  • [T1059.001] Command and Scripting Interpreter: PowerShell – Execution context described as PowerShell scripting. Quote: ‘Command and Scripting Interpreter: PowerShell’
  • [T1055] Privilege Escalation – Process Injection – Privilege escalation through process injection. Quote: ‘Process Injection’
  • [T1027.010] Command Obfuscation – Obfuscated/secret string handling via XOR. Quote: ‘simple XOR for string encryption’
  • [T1041] Exfiltration Over C2 Channel – Data exfiltration to C2 channel. Quote: ‘to the C2 server’
  • [T1082] System Information Discovery – System information discovery. Quote: ‘System Information Discovery’
  • [T1057] Process Discovery – Process discovery to enumerate running processes. Quote: ‘Process Discovery’

Indicators of Compromise

  • [File] DarkVNC artifacts – VNCDLL64.DLL, bd7f6aa8.dat in TEMP – Example: VNCDLL64.DLL, bd7f6aa8.dat in %TEMP%
  • [Process] Suspicious processes – explorer.exe, chrome.exe, and cmd.exe
  • [Window Class] Desktop/window artifacts – Progman, SHELLDLL_DefView, SysListView32
  • [Data/Directory] Chrome/browser data references – GoogleChromeUser DataLast Version, test folder checks in Chrome user data

Read more: https://www.esentire.com/blog/technical-analysis-of-darkvnc