Threat Research

The Prevalence of DarkComet in Dynamic DNS

Cyware

This HYAS Threat Intelligence report analyzes the prevalence of Dynamic DNS (DDNS) in cyberattacks, especially its use with the DarkComet RAT for C2 infrastructure. It notes how DDNS eases attacker control over compromised devices and highlights DarkComet’s deployment methods and regional trends, particularly in Turkey. #DarkComet #Turkey #MissTeenUSA

Keypoints

  • Dynamic DNS (DDNS) enables attackers to frequently change IP addresses tied to a C2 domain, complicating IP-based blocking.
  • DarkComet malware is predominantly deployed via phishing emails, bundling with legitimate software, and exploiting vulnerabilities.
  • Compromised systems can download additional malware to extend functionality, persistence, and botnet formation.
  • Turkey is identified as a significant location for DarkComet C2 deployments, with ongoing activity into 2024.
  • DDNS services offer legitimate remote-access benefits but can be abused for malicious C2 communication.

MITRE Techniques

  • [T1071.004] DNS – Dynamic DNS usage for C2: “Dynamic DNS allows attackers to frequently change the IP address associated with their C2 domain. This makes it harder for defenders to block C2 traffic based solely on IP addresses, as the domain can resolve to different IPs over time.”
  • [T1566.001] Phishing – Phishing emails used to deliver DarkComet: “Attackers often use phishing emails to trick victims into downloading and executing DarkComet. These emails might contain malicious attachments or links to websites hosting the malware.”
  • [T1036] Masquerading – Bundling with legitimate software: “Attackers sometimes bundle DarkComet with legitimate software, especially on unofficial download sites.”
  • [T1203] Exploitation for Client Execution – Exploiting vulnerabilities to install DarkComet without user interaction: “Exploiting software vulnerabilities in the victim’s system to install DarkComet without user interaction is another method.”
  • [T1105] Ingress Tool Transfer – Downloading additional malware after compromise: “DarkComet can download additional malware to extend functionality, establish persistence, and create botnets.”
  • [T1547] Boot or Logon Autostart Execution – Establish Persistence: “Establish Persistence”
  • [T1021] Lateral Movement – Spread Laterally within a network: “Spread Laterally”
  • [T1486] Data Encrypted for Impact – Conduct specific attacks such as ransomware: “such as ransomware to encrypt files and demand a ransom, spyware to monitor user activities, or wipers to destroy data.”

Indicators of Compromise

  • [Domain] Domains registered by actors in Turkey (2024) – withheld-domain-1, withheld-domain-2, and 2 more items
  • [IP Address] Actor IPs associated with those domains – 192.0.2.1, 198.51.100.2, and 2 more items
  • [Email Address] Registrant emails for those domains – [email protected], [email protected], and 0 more items
  • [A Record] DNS A records for those domains – 203.0.113.5, 203.0.113.6, and 0 more items

Read more: https://securityboulevard.com/2024/08/the-prevalence-of-darkcomet-in-dynamic-dns

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint