DarkComet RAT Malware Hidden Inside Fake Bitcoin Tool

SUMMARY :

A malware analysis reveals the reemergence of DarkComet RAT disguised as a Bitcoin-related application. The malware, packed with UPX to evade detection, is distributed as a RAR archive containing an executable file. Once unpacked, it installs itself as 'explorer.exe' in the user's AppData folder and creates a registry run key for persistence. The RAT's configuration shows its command and control server as 'kvejo991.ddns.net' on port 1604. It employs keylogging, storing captured keystrokes in a 'dclogs' folder. The malware's process behavior includes spawning multiple cmd.exe and conhost.exe processes, and injecting its payload into notepad.exe for stealth. Despite its age, DarkComet remains a potent threat, especially when combined with cryptocurrency lures.

OPENCTI LABELS :

upx packing,bitcoin,persistence,c2 communication,darkcomet,rat,cryptocurrency,keylogging,darkcomet rat


AI COMMENTARY :

1. Introduction The recent discovery of DarkComet RAT masquerading as a Bitcoin utility underscores the enduring risk posed by legacy malware families. While DarkComet first emerged over a decade ago, threat actors continue to leverage its robust remote access capabilities alongside modern social engineering lures centered on cryptocurrency. In this case, victims download a RAR archive labeled as a Bitcoin tool, unaware that it contains a malicious executable packed with UPX to bypass detection.

2. Malware Distribution and Execution Upon extracting the RAR archive, the user encounters an executable that immediately begins its deceptive installation routine. The file employs UPX packing, a common technique that compresses and obfuscates the binary, slowing down signature‐based detection systems. Once unpacked in memory, the executable replicates itself into the user’s AppData folder under the name explorer.exe. By co-opting a legitimate Windows process name, it blends into the system environment and avoids raising red flags for casual observers.

3. Persistence Mechanisms To ensure it survives system reboots and maintains continuous access, DarkComet adds a registry run key. This registry entry instructs Windows to automatically launch explorer.exe from the AppData directory each time the victim signs in. The persistent installation path and registry modification guarantee the malware’s presence on the infected host, providing attackers with long-term foothold without requiring repeated social engineering campaigns.

4. Command and Control Configuration Analysis of the RAT’s configuration reveals that it communicates with its command and control (C2) server at kvejo991.ddns.net on port 1604. The use of a dynamic DNS hostname allows adversaries to quickly change the underlying IP address, complicating network‐based blocking efforts. The RAT’s custom protocol enables secure transmission of commands, remote file transfers, and real-time monitoring of the compromised system.

5. Keylogging and Data Theft An embedded keylogging module captures all keystrokes entered by the user and stores them in a folder named dclogs within the AppData directory. By aggregating sensitive information such as credentials, private keys, and personal correspondence, the RAT can funnel valuable data back to the operators. This keylogging capability not only aids in credential theft but also provides detailed insight into the victim’s activities, enhancing the adversary’s intelligence gathering.

6. Process Injection and Stealth Techniques To further evade detection, DarkComet spawns multiple instances of cmd.exe and conhost.exe before injecting its payload into notepad.exe. This technique conceals malicious threads within seemingly benign processes, reducing the likelihood of triggering heuristic or behavior-based alarms. The use of trusted binaries for code injection exemplifies a fileless approach to persistent control, making manual and automated analysis more challenging.

7. Conclusion and Threat Outlook Although DarkComet RAT has been publicly available for years, its combination with modern packing methods, cryptocurrency‐themed social engineering, and advanced stealth techniques keeps it relevant. Security teams should remain vigilant for UPX‐packed executables, monitor for unusual registry run keys, and inspect dynamic DNS traffic. Proactive threat hunting and layered defenses are essential to detect and disrupt this enduring RAT before it can compromise sensitive assets.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


DarkComet RAT Malware Hidden Inside Fake Bitcoin Tool