The Prevalence of DarkComet in Dynamic DNS

Summary: This report discusses the use of Dynamic DNS (DDNS) by threat actors, particularly focusing on the DarkComet malware, which is frequently deployed through various malicious methods. It highlights the advantages of DDNS for command and control (C2) infrastructure in cyberattacks and the risks posed by compromised systems.

Threat Actor: Unknown | DarkComet
Victim: Various individuals and organizations | DarkComet malware victims

Key Point :

  • Dynamic DNS allows attackers to easily change IP addresses, evading IP-based blocking and maintaining control over their C2 infrastructure.
  • DarkComet malware is predominantly deployed through phishing emails, bundling with legitimate software, and exploiting vulnerabilities.
  • Once a system is compromised, DarkComet can download additional malware to extend functionality, establish persistence, and create botnets.
  • Turkey has been identified as a significant location for DarkComet C2 deployments, with a notable trend in its usage continuing into 2024.

Threat Intelligence Report

Date: August 6, 2024

Prepared by: David Brunsdon, Threat Intelligence – Security Engineer, HYAS

Dynamic DNS (DDNS) is a service that automatically updates the Domain Name System (DNS) in real-time to reflect changes in the IP addresses of a domain. Unlike traditional static DNS, where the IP address associated with a domain remains constant, dynamic DNS allows for the association between a domain and an IP address to be updated frequently. This capability is particularly useful for devices or networks with frequently changing IP addresses, such as home networks, small businesses, or mobile devices.

Dynamic DNS services are widely used for legitimate purposes, including remote access to home networks, managing internet-connected devices, and enabling consistent access to websites or services hosted on networks with dynamic IP addresses. However, the same features that make dynamic DNS useful for legitimate users can also be exploited by threat actors for malicious purposes.

.ai-rotate {position: relative;}
.ai-rotate-hidden {visibility: hidden;}
.ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;}
.ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;}
.ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;}

Using dynamic DNS for command and control (C2) infrastructure in cyberattacks offers several benefits for threat actors, including:

  1. Easy Access to Domain Name: Registering a domain at a traditional registrar requires providing personal information and usually a credit card number which is undesirable when trying to hide one’s identity.
  2. Evasion of IP-based Blocking: Dynamic DNS allows attackers to frequently change the IP address associated with their C2 domain. This makes it harder for defenders to block C2 traffic based solely on IP addresses, as the domain can resolve to different IPs over time.
  3. Persistence and Resilience: By using dynamic DNS, attackers can maintain control over their C2 infrastructure even if specific IP addresses are taken down or blacklisted. They can simply update the DNS records to point to a new IP address, ensuring continuous communication with their malware.
  4. Global Reach: Dynamic DNS services often have servers and points of presence worldwide, enabling attackers to distribute their C2 infrastructure globally, making it more challenging to track and disrupt.
  5. Flexibility: Dynamic DNS allows attackers to quickly move their C2 infrastructure across different networks and hosting providers, adapting to defensive measures and maintaining control over infected machines.
  6. Reduced Downtime: In the event of a takedown or disruption of a C2 server, dynamic DNS enables attackers to quickly re-establish communication with compromised systems by updating the DNS records, minimizing downtime and the risk of losing control over their botnet or malware network.

Dynamic DNS Services Used by Threat Actors

Dynamic DNS services have many benign users but they can also be used by threat actors in phishing attacks and within malware to communicate with command and control (C2) infrastructure.

Using HYAS Insight threat intelligence, the HYAS team was able to analyze some dynamic DNS registrations from Q1 and Q2 of 2024 that originated in Turkey. The registration data we analyzed contained the registered domain name, the A record IP, and the IP address used when opening an account with the provider. We then identified which domains were malicious by cross-referencing this data against our malware data to determine which have been used this year in command and control.

An interesting trend was found in the malware families identified: Most of the malware were identified to be remote access trojans (RATs), and DarkComet malware was represented in over 50% of the malicious domains we identified. DarkComet has been available for download for over a decade, and has been researched thoroughly over the years. It has the typical RAT capabilities including keylogging, microphone capture, webcam capture, and remote access control. It’s also been used in numerous high-profile incidents, such as the 2012 attack on Miss Teen USA.

In data analyzed in the 2020 paper Dark Matter: Uncovering the DarkComet RAT Ecosystem, Turkey is identified as the country with the highest number of DarkComet C2 deployments. From our perspective, the popularity of DarkComet in Turkey seems to continue to today.

Deploying DarkComet Malware

DarkComet malware deployment is typically conducted using several methods:

  1. Phishing Emails: Attackers often use phishing emails to trick victims into downloading and executing DarkComet. These emails might contain malicious attachments or links to websites hosting the malware. The malware can be hidden in seemingly benign files such as Word documents, PDFs, or executable files. When the victim opens the attachment, the malware is executed.
  2. Bundling with Legitimate Software: Attackers sometimes bundle DarkComet with legitimate software, especially on unofficial download sites. When the user installs the software, DarkComet is installed as well.
  3. Social Engineering: Attackers may use various social engineering techniques to convince victims to run the malware. This can include posing as technical support, fake software updates, or other ruses.
  4. Exploiting Vulnerabilities: Exploiting software vulnerabilities in the victim’s system to install DarkComet without user interaction is another method. This can include exploiting

Risks to a Compromised System

DarkComet is a serious threat because it can download additional files to extend the impact and level of compromise. When a system has been compromised the threat actor could download additional malware to:

  1. Extend Functionality: By downloading additional malware, attackers can extend the functionality of the initial infection, adding new capabilities such as data exfiltration, credential theft, or further system manipulation.
  2. Establish Persistence: Downloading additional components can help establish and maintain persistence on the infected system. For instance, installing rootkits or other persistent backdoors ensures continued access even if the initial RAT is detected and removed.
  3. Create a Botnet: DarkComet can be used to turn infected machines into part of a botnet. The additional malware files can include other RATs or bots that connect to a command-and-control server, allowing coordinated attacks or data harvesting from multiple compromised systems.
  4. Spread Laterally: Downloading additional tools can facilitate lateral movement within a network, enabling attackers to compromise more machines and escalate privileges within the targeted environment.
  5. Conduct Specific Attacks: Attackers can download specialized malware to conduct specific attacks, such as ransomware to encrypt files and demand a ransom, spyware to monitor user activities, or wipers to destroy data.

IOCs

Using HYAS Insight threat intelligence, we collected a list of domains registered by actors in Turkey in 2024 that include details such as, A Records, emails, and Actor IPs involved with specific domains. Due to the sensitive nature of these IOCs, we have withheld them from this report. If you would like access to these IOCs, please contact HYAS directly for more information.

Want more threat intel on a weekly basis?

Follow HYAS on LinkedIn
Follow HYAS on X

Read recent HYAS threat reports:

Caught in the Act: StealC, the Cyber Thief in C 

HYAS Protects Against Polyfill.io Supply Chain Attack with DNS Safeguards

StealC & Vidar Malware Campaign Identified

Sign up for the (free!) HYAS Insight Intel Feed

Disclaimer: This Threat Intelligence Report is provided “as is” and for informational purposes only. HYAS disclaims all warranties, express or implied, regarding the report’s completeness, accuracy, or reliability. You are solely responsible for exercising your own due diligence when accessing and using this Report’s information. The analyses expressed in this Report reflect our current understanding of available information based on our independent research using the HYAS Insight platform. The Report’s inclusion of any companies, organizations, or ASNs does not imply any wrongdoing on their part; it is simply an indication of where digital threat activities have been observed. HYAS reserves the right to update the Report as additional information is made known to us.

Learn More About HYAS Insight

An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.

Read how the HYAS Threat Intelligence team uncovered and mitigated a Russian-based cyber attack targeting financial organizations worldwide.

More from HYAS Labs

Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.

Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.

*** This is a Security Bloggers Network syndicated blog from HYAS Blog – 2024 authored by David Brunsdon. Read the original post at: https://www.hyas.com/blog/the-prevalence-of-darkcomet-in-dynamic-dns

Source: https://securityboulevard.com/2024/08/the-prevalence-of-darkcomet-in-dynamic-dns