Cybercriminals are disguising the DarkComet remote access trojan as Bitcoin-related tools, posing risks to cryptocurrency users. The DarkComet RAT, a previously discontinued malware, has resurfaced with new tactics that allow it to gain control over affected systems.
DarkComet's Dangerous Capabilities
The DarkComet RAT facilitates keystroke logging, file theft, and remote access, leading to potential financial losses for cryptocurrency users. Despite being discontinued, the tool remains a potent threat due to its ability to perform extensive system surveillance.
This malware is distributed as a RAR archive, camouflaging itself as a legitimate Bitcoin wallet application. When executed, it activates DarkComet's functions and attempts to communicate with its command-and-control server.
Technical Breakdown of the Threat
- The malware copies itself to %AppData%\Roaming\MSDCSC\explorer.exe for persistence.
- It creates a registry key to execute at startup.
- The RAT connects to kvejo991.ddns.net over TCP port 1604, indicating active communications.
- The executable uses standard PE sections and injects payloads to perform hidden operations.
- It logs keystrokes and exfiltrates data via its command-and-control channel.
Protective Measures
Users should exercise caution by avoiding the download of cryptocurrency tools from dubious sources. It's crucial to keep security software updated to detect and prevent such malware.
