Researchers analyzing the Dark Comet remote access Trojan (RAT) program say that data from more than 400 campaigns suggests the malicious program is being used for a wide range of jobs, from attacks on online gamers, to potential hacks of air force bases and government Web sites.
In the blog entry, Curt Wilson of Arbor Networks said that Dark Comet is being mass-customized to serve in a wide range of campaigns, leaving malware researchers to guess at the goal of the attack using clues such as the attackers’ choice of passwords, server IDs and file names.
Wilson looked at Dark Comet through the lense of five separate campaigns. By dissecting the approximately 4000 Dark Comet malware samples the company has available, it was able to find some clues to their origins.
“While it is of course possible for any attacker to set any password, C&C or server ID or name for any reason such as for misdirection purposes, it is also possible that these elements may reflect the intent of the campaign and give a hint towards the actors behind the scenes,” writes Wilson.
Arbor noted that one campaign server, “SearchandDestroy_GOV,” was likely redirecting fake .gov sites or launching man-in-the-middle attacks based on what the host files looked like after machines were infected.
Elsewhere the firm deduced another campaign that used a sever named “SynBots” and a Command and Control (C&C) infrastructure named “syncenter” was aimed at gamers and gaming communities. The campaign looked for files like “Runescape Dicking Hack.resources” and “Runescape Dicing Hack.resources.exe,” a la the popular MMORPG.
The Dark Comet RAT and others with names like Xtreme RAT are being used more widely by cyber criminals as well as oppressive regimes. The Syrian government, which is engaged in a civil war, used the Trojans to attack and spy on anti-government activists and dissidents. The Trojans’ use as a tool for political repression ultimately wound up rubbing DarkcoderSC, the creator of Dark Comet the wrong way. The hacker announced earlier this week plans to suspend the development and sales of the Trojan. To read the blog entry, head to their Security Blog.