Exterminating the RAT Part I: Dissecting Dark Comet Campaigns

By: cwilson -

It should be abundantly clear that there are serious concerns at play when dealing with Remote Access Trojans, as they are used in many espionage style attacks where sensitive data and valuable intellectual property are stolen. Occasionally, a RAT is also used to launch DDoS attacks, but these DDoS attacks are less common.  The real value of the RAT to the attacker is the core remote control functionality that breaches the confidentiality and integrity of the victim and the victim network by allowing the attacker full access to the target system. The monitoring of all keystrokes (including passwords, sensitive data entered onto secure sites), control of file upload/download, the ability to steal any file, access network shares, spy via webcam or microphone, download and install additional malware, and other features make these RATs a formidable threat when wielded by a focused attacker. A common targeted attack methodology starts with initial network penetration by compromising one or more systems and installing a RAT or something similar to a RAT that calls back to the attacker. Once the RAT is installed, that infected system becomes a valuable launching pad for the attacker to move laterally on the internal network, seeking information of value to the goals of the attackers campaign.

 

Arbor Networks and others have previously profiled the Dark Comet Remote Access Trojan (RAT). While the author of Dark Comet claims that the tool is not intended for malicious purposes, it has been used for  many malicious campaigns, including the recent attack on Syrian opposition leaders where the Dark Comet Trojan was delivered to them disguised as a Skype component. Dark Comet is clearly popular, free and stable enough for many attack campaigns with varying motives and therefore provides some insight into this arena.

When an organization is hit by a RAT infection, it can be helpful to attempt to determine what the attacker was up to and what indicators point towards their motives. Using a combination of open source intelligence and ASERT insight, we will try to piece together some interesting elements. While these indicators can help, unless verbose logging or system/network monitoring is in place, it can be difficult if not impossible to determine every action taken via the RAT.  Unfortunately, a “wipe and reload” approach isn’t sufficient to determine what took place.  An extensive analysis may need to be undertaken to determine the depth and scope of the breach.

We will profile several potentially interesting Dark Comet campaigns that we have discovered in this first part of the RAT series. Future entries in this series will cover other RAT campaigns of interest as our research delivers additional insights.

Interesting campaign indicators

How might we start trying to narrow down the campaigns of interest from among the 4000+ Dark Comet samples that we have in our malware analysis repository? One method might be to take a look at the passwords, server IDs and Command & Control infrastructure being used by the RAT itself. While it is of course possible for any attacker to set any password, C&C or server ID or name for any reason such as for misdirection purposes, it is also possible that these elements may reflect the intent of the campaign and give a hint towards the actors behind the scenes. It is also possible that attackers are smart enough to use very vague or generic names for all of the user-selected components of any RAT campaign in order to reduce visibility and fly under the radar.

Campaign #1: Password contains the phrase “Boeing747”

C&C Name/IP address : port Password Server ID Md5 hash
41.132.36.63:1604 Boeing747!@#Legacy123 Guest16 40f1aac00c440ed7811cd042bca1b4d8

The password caught my eye due to its contents and also the length and use of mixed case, numbers and special characters. The use of “Boeing747” may have nothing to do with a real Boeing 747 and could have just been something chosen to make a strong password. The C&C in this case is a South African IP, apparently located in an area called Centurion, which houses two Air Force bases which could account for the password reference. There is clearly not enough information available here to determine motive.  Very little public information is available when searching for the MD5, only virus scan results showing that many antivirus scans from early in 2011 provide a generic detection name, except for a vendor that alerts for “BackDoor.Comet.16” and two other vendors that alert using the name “Fynloski”.  Enterprises seeing hits that match these names need to be aware of what they are dealing with and take proper investigation measures to determine the intent and scope of the breach.

Campaign #2: Server ID “SearchandDestroy_GOV”

C&C Name/IP address : port Password Server ID Md5 hash
ratnetwork.no-ip.net:1604 SearchandDestroy_GOV 2770f5bd84bb585d449a7c0e1223920f

This campaign, while noisy is a little bit more interesting as it suggests that the attacker may be experimenting with redirecting .gov sites. After infection, the hosts file of the infected machine has been changed, adding the following entries:

www.x.gov: 74.208.130.89

x.gov: 74.208.130.89

www.security.gov: 74.208.130.89

brandon.gov: 74.208.130.89

www.brandon.gov: 74.208.130.89

www.searchanddestroy.gov: 74.208.130.89

security.gov: 74.208.130.89

searchanddestroy.gov: 74.208.130.89

These are all bogus domains, however it does illustrate the potential to perform a redirect or a man-in-the-middle attack on the unsuspecting user. The destination IP address is a webserver containing several virtual domains, which included “underworldhacking.com”.

The IP address of the host at the time of the attack seen in our analysis infrastructure was 174.61.238.123 and currently resolves to 38.78.193.22. Both IP addresses are associated with the hostnames ratnetwork.no-ip.net and zombienetwork.no-ip.net.

Campaign #3: Server ID “server-Bifrost1.3” and hostname “9d1.no-ip.org”

C&C Name/IP address : port Password Server ID Md5 hash
9d1.no-ip.org:1604 server-Bifrost1.3 0e492c93cbaec7b5d4cc432e2c66454f

The C&C name here is associated with multiple RAT campaigns. For example, we see information on an Arabic language forum thread including a user named “9D1” discussing TCP port 288 as being associated with a message about “Xtreme RAT” in late 2011.  The topic of that thread relates to password theft. Another likely Xtreme RAT campaign can be found mentioned at http://home.mcafee.com/virusinfo/virusprofile.aspx?key=1063074#none running on TCP port 3460 from late April 2012. We also see another Dark Comet campaign on TCP port 3333 in sandbox output http://xml.ssdsandbox.net/index.php/6fcb95632b754a941f3e490d5785e7c4 which is using a default DarkComet mutex that starts with the characters DC. The mutex in this case is DC596I04Z1. Clearly, this dynamic address is up to no good.  The server name, Bifrost 1.3, could indicate that this attacker or group of attackers is also working with the Bifrost RAT.  As of May 29, 2012 this hostname points to the IP address 41.234.27.145 that appears to be located in or near Cairo, Egypt.

Campaign #4: Server ID “SynBots” and C&C named “syncenter”

C&C Name/IP address : port Password Server ID Md5 hash
syncenter.no-ip.org:6002 roflcopter SynBots 4fdcc3e11d84d11df182375e83d52938

This campaign appears to be aimed at Runescape users or other gaming communities, as indicated by the sample seeking file attributes for the following files:

Runescape Dicing Hack.resources.dll

Runescape Dicing Hack.resources

Runescape Dicing Hack.resources.exe

Based on the indicators seen here, it is possible that the purpose of this particular campaign could be to build a DDoS bot, potentially for use as a host booter to boot other gamers off-line with SYN flood attacks.

Campaign #5: password used “mafia007”, Server ID “Hack Kurd”

A case of watching too much James Bond, or something more threatening?

C&C Name/IP address : port Password Server ID Md5 hash
mafia007.no-ip.org:10000 mafia007 Hack_Kurd 0e492c93cbaec7b5d4cc432e2c66454f

 

It looks as though this particular sample was packed using some type of .NET crypter or packer that makes the sample more difficult to analyze. The only quickly discovered public reference to this sample by its MD5 hash  is a sandbox report found at http://xml.ssdsandbox.net/index.php/0e492c93cbaec7b5d4cc432e2c66454f which reveals basically nothing about the sample except that it was unable to run, generating an error code “KilledByWindowsLoader”.

This sample drops a file  C:Documents and Settings[Username]Local SettingsTempAdobeUpdate.exe and attempts to enumerate elements of the Microsoft .NET runtime version 2.  Based on the nickname “mafia007” and a little bit of digging reveals that the crypter likely used here is called “Crypter Zero” or “Zero Crypter” which claims to be 100% FUD (fully undetectable by antivirus). This particular crypter is from 2011, and the authors point to an underground file-scanning service to illustrate their point. Zero Crypter is being sold for 50 euro.

While packers can complicate matters, thankfully we have memory dumps that bypass the need to perform a manual unpacking/decrypting process in many cases.

We also determine that an Italian e-mail address containing the string “mafia007” has shown much interest in Dark Comet and other Trojans and demonstrates the use of the Zero Packer on them. A similar username was found on various underground forums that had been compromised, and passwords leaked by LulzSec.

mafia007.no-ip.org resolved to 151.31.38.204 during the initial sample analysis and currently resolves to 151.82.18.157. Both are Italian IP addresses.

While I cannot be 100% certain, I don’t believe this person to be a serious attacker based on the weak operational security demonstrated here.  Therefore, this campaign may be a case of “too much James Bond” although appearances can be deceiving. It would not be the first time that an attacker does not attempt to hide very well.

Summary

Dark Comet is very popular RAT and is actively developed and widely used. It can be difficult to determine the motive of the attacker, however sometimes there are enough traces left over that can help us piece together the potential goals of a campaign.  RAT infections can be very serious, requiring an in-depth investigation to determine the goals of the attacker and the level of risk posed.

Future articles covering other RAT threats will emerge as part of the “Exterminating a RAT” series.

References:

/asert/2012/03/its-not-the-end-of-the-world-darkcomet-misses-by-a-mile/

/asert/wp-content/uploads/2012/03/Crypto-DarkComet-Report.pdf

http://blog.trendmicro.com/darkcomet-surfaced-in-the-targeted-attacks-in-syrian-conflict/

http://resources.infosecinstitute.com/darkcomet-analysis-syria/

 

Comments

  1. Update: The author of Dark Comet has decided to stop development on Dark Comet. Please see http://www.informationweek.com/news/security/attacks/240003474 for further details. It seems that he is tired of people using the software for illegal purposes and seems to have been impacted by the news of DarkComet being used to spy on Syrians opposed to the president, a move that could have had very serious consequences for those involved. Older versions still exist and will be used for some time, so it’s not time to stop thinking about this RAT but over time it will fade as newer RATs appear.