DarkComet RAT – Proxy

The DarkComet RAT utilizes a connection proxy, specifically SOCKS5, to obfuscate the true command and control (C2) server infrastructure. This makes it more difficult to identify and block the C2 communication, allowing the attacker to maintain persistent control over the infected system.

Subject: DarkComet RAT – Proxy

Tactics: TA0011 Command and Control

Technique: T1090 Proxy

Procedure:

The DarkComet RAT utilizes a connection proxy, specifically SOCKS5, to obfuscate the true command and control (C2) server infrastructure. This makes it more difficult to identify and block the C2 communication, allowing the attacker to maintain persistent control over the infected system.

Vulnerability: EAV0007 When adversaries interact with engagement environments and personas, their future capability, targeting, and/or infrastructure requirements are vulnerable to influence.

Engagement Opportunity:

Implement advanced network traffic analysis tools that can identify and flag suspicious proxy connections, especially SOCKS5 traffic. By analyzing the patterns and characteristics of this traffic, we can potentially uncover the true C2 infrastructure and disrupt the attacker’s command and control capabilities.

Threat Actor: Unknown (Potentially a Script Kiddie or Low-Sophistication Cybercriminal)

Threat Objective:

Maintain persistent access to the compromised system, evade detection, and potentially exfiltrate data or conduct further malicious activities.

Deception Opportunity:

Deploy a decoy network segment that appears to be a valuable target. Configure this segment to allow proxy connections and mimic legitimate services. This could lure the attacker into using the decoy network for C2 communication, revealing their tools and techniques while protecting the real network infrastructure.

Sensor Data Placement: Application

Observable Level: Core to Some Implementations of (Sub-)Technique

Scoring Rationale:

While SOCKS5 proxies can be used for legitimate purposes, their presence in conjunction with other suspicious activities (like the DarkComet RAT infection) raises a red flag. Monitoring this traffic can help identify and disrupt C2 communication.

Link to Report: https://any.run/malware-trends/darkcomet

Link to Report II.:

Additional Comments:

The use of connection proxies highlights the evolving tactics of threat actors to evade detection. Organizations need to implement proactive network monitoring and analysis capabilities to identify and respond to these threats effectively.

Possible elements:

MSG (Pseudocode):

Leave a Reply