The remote control Trojan DarkComet is coming again

Security researcher Vishal Thakur issued a warning on Twitter last Sunday (August 26) that a newly discovered malware is currently being actively distributed worldwide through spam campaigns. The malware disguised itself as a popular open source compression software, PeaZip, which was actually a Remote Control Trojan (RAT) and almost certainly a repackaged version of the DarkComet RAT.

Here's my full report on the new #malware #PeaRAT that has been packaged to look like the popular archiving utility PeaZIP. #trojan #RAT https://t.co/lRd3atPXxk

— vishUwell (@vishUwell) August 26, 2018

DarkComet is a remote control Trojan that was born in 2008. The Trojan can perform a large number of malicious acts after running, not only to record and upload private information such as passwords and camera screens entered by the victim but also to download files and start programs according to instructions received from the Command and Control (C&C) server. Control operations such as running scripts, and even use the controlled computer as a springboard to launch DDoS and other network attacks on other targets.

As mentioned above, this new version of DarkComet RAT is currently being distributed via spam email campaigns. The subject of these spam emails is similar to “Shipping docs#330” (shipping documents) and informs the recipient in the body that the document needs to be confirmed. The sample email is as follows:

As you can see from this example, the email comes with a .z attachment called “DOC000YUT600.pdf.z”. In this attachment, a file called “DOC000YUT600.scr” is included, which installs the DarkComet RAT on the recipient’s computer when it is executed.

The DarkComet RAT will be installed under the %UserProfile%\Music\ and %UserProfile%\Videos\ folders, if you can find the name “regdrv.exe” or “Regdriver.exe” in these two folders. Executable, then this is enough to prove that your computer is infected. It’s worth noting that the DarkComet RAT also creates a self-starting item called “Registry Driver” when it is installed, which means that when you log in to Windows, its executable will run automatically.

Verified by Vishal Thakur, after the DarkComet RAT executable runs, it will begin recording the installed software usage and keyboard activity and save it to the %UserProfile%\AppData\Roaming\dclogs\ folder. In the log file, these log files will be uploaded to the attacker at different intervals. An example of the log file for DarkComet RAT is as follows:

Not only that, but an attacker can also connect to your computer via the DarkComet RAT to execute commands, talk to you, take screenshots of active windows, and perform other malicious actions. In other words, once your computer is infected with the DarkComet RAT, you will lose a lot of sensitive information that can be used by hackers to intimidate or steal money.

As always, to avoid being attacked by the DarkComet RAT, we still recommend that you install useful anti-virus software and keep it up to date. Also, since this new version of DarkComet RAT is distributed via spam email, we also recommend that you do not open emails from unknown sources, especially if you do not open attachments. Even if the attachment comes from a favourite contact, we recommend that you scan it with your anti-virus software (or VirusTotal) before opening it to make sure it does not contain any malicious documents or files.

Source, Image: joshlemon