October 24, 2016

DarkComet RAT developer shuts down project

(LiveHacking.Com) – The developer of the DarkComet Remote Administration Tool (RAT) has put an end to the project because of its abuse and use by malware writers. Jean-Pierre LESUEUR posted the announcement on the official site as well as on Twitter and Pastebin.

Once installed on a remote machine, the DarkComet RAT allows a remote “administrator” to completely control the target machine. Its functionality included webcam streaming, desktop streaming, micro streaming and keylogger. Because of its effectiveness it became the preferred tool of malware writers who would include the RAT as part of their payload. The tool was implicated in many different types of attacks including attempts to spy on anti-regime activists in Syria.

The tool was designed to be covert and as the feature list mentioned it can be used “without disturbing the remote user”. It was capable of reading passwords from web browsers including Google Chrome, Opera and Mozilla FireFox. It could also record video and audio from any attached webcams or microphones.

“I have devoted years with a nonprofit philosophy for you to enjoy without asking anything in return other than respect of the rules, unfortunately some of you couldn’t respect the terms so because of you (generally speaking) made the DarkComet RAT geo cruiser end,” said Jean-Pierre LESUEUR.

It seems as if pressure had been mounting on Jean-Pierre for the misuse of his software. In his statement he added  “so many of you seem to believe I can be held responsible of your actions, and if there is something I will not tolerate is to have to pay the consequences for your mistakes and i will not cover for you.”

Recent changes to laws in various countries have left developers accountable for the misuse of their security tools. In June, for example, the developer of the Blackshades RAT was arrested. However it is worth noting that Blackshades was developed with malicious intent (unlike DarkComet).

Jean-Pierre re-emphasised his original goal of proving tools for educational purposes and for people who legitimately want to check on remote machine (for example parents with their kids).

The official website has been significantly cut down and the tools is now no longer available for download. However two related tools are still available on the site, one to detect any running instance of DarkComet in memory (even packed/compressed/virtualized etc…) and another one to extract the data in a darkcomet stub. Fortunately the source code for DarkComet has never been released and hopefully the future lack of development will mean its use will whither away.


Hacked Skype accounts used to spread Trojan that spies on Syrian activists

(Credit: EFF)

A new remote access trojan (RAT), known as BlackShades, has been found targeting Syrian activists. The Trojan which is being distributed via instant messages from within hacked Skype accounts contains surveillance capabilities which are being used to spy on anti-regime activists in Syria.

According to the Electronic Frontier Foundation, BlackShades is part of an ongoing campaign which uses social engineering to install surveillance software to spy on Syrian opposition activists. The campaign also includes a numerous phishing attacks which attempt to steal YouTube and Facebook login information.

Previous attacks installed versions of the remote access tool, DarkComet RAT, which the EFF says send information back to an IP address in Syria. The Blackshadres RAT, used in the latest attacks, has keystroke logging and remote screenshots capabilites. The malware is distributed via Skype as a “.pif” file.

The conversation show in the picture shows the compromised Skype account of an officer of the Free Syrian Army. The sender claims that the link is for an important new video but in fact is the Trojan. Later friend of the officer asked if his account was safe but he replied that his account had been compromised.

“EFF urges Syrian activists to be especially cautious when downloading files over the internet, even in links that are purportedly sent by friends,” EFF’s Eva Galperin and Morgan Marquis-Boire wrote. “As members of the Syrian opposition become more savvy in using encryption, satellite networks, and other tools to evade the Assad regime’s extensive internet surveillance capabilities, pro-Syrian-government malware campaigns have increased in frequency and sophistication.”

A more detailed analysis of the Trojan can be found here.