Saturday, May 17, 2014

Red Sky Weekly: Uptick in Dark Comet RAT?

Indicator aging is a a topic that comes up often in conversations with folks who're interested in knowing how we handle old indicators. And in most cases, I have stories of VPN drivers, and newcomers pinning on their first oh sh*t badge who get hit first with the old stuff. This week, we had a great example of why old indicators must be kept up to date with a story of an old RAT being used in a slightly different way... Dark Comet, labeled by Symantec as "backdoor. breut" had been credited by CNN for its use by the Syrian regime against those who opposed them.

This week, Dark Comet RAT appeared on our radar. And although available for years, Dark Comet remains popular among hackers. Recent activity observed by our lab indicates an uptick in the use of this tool and it’s not showing any signs of slowing down... and sporting a new twist --Mobile Command and Control (C2).

Geolocation of DarkComet RAT Mobile C2 nodes
In a new edition, analysts at Wapack Labs observed the use of what we are calling "Mobile C2s". A couple recent variants leveraged No-IP domains that showed historical resolutions to dozens of IPs. Upon closer inspection it was revealed that the majority of them were mobile service providers hosts. This would suggest that the attackers are running the C2 controller on a laptop with mobile broadband and a No-IP client. During our research we also discovered a number of DynDNS clients for mobile apps however to our knowledge there are no Dark Comet controllers compatible with mobile devices. Either way, this may be signaling a new trend.

While it may represent a convenient option for the attacker to have a mobile C2, it does offer some interesting data points for tracking. Using historical resolutions for one C2 we identified 26 separate mobile provider hosts with resolutions starting from late February to present. The majority of the hosts were geo-located within a two-mile radius in London, however on 11 April we see a hit for Stevenage, which is an hour north of the primary cluster.

Despite the relative anonymity of using Mobile infrastructure for C2 it does clearly allow for higher confidence tracking of actor movements and activity. Wapack Labs is keeping a close eye on these networks and the continued use of this TTP.


For me (written by Rick), the thing I learned this week is I learn something every week, not matter how challenging the week may have been, even if I felt like I've not accomplished much, if I'm not learning something, I'm static. 

The point I'm making is really simple, we're always busy doing the multitude of tasks we have to fit into an ...ahem...eight hour day but if you're not keeping your eyes on what's coming around the corner, you may walk smack dab into someone and break your nose.  We talk about the "wolves closest to sled", which is appropriate when your spend is limited you're often just worried about today, the hear-and-now, but what about the wolves that lurk in the darkness, the ones that are just beyond your vision waiting for their opportunity?

"White Fang" author, Jack London, once said, "The proper function of man is to live, not to exist."  The function of security in any organization should be not to get through the latest crisis, fending off the wolves on your sled, but also be on the hunt for the wolves you've yet to discover that are hunting you.  How do you do that?  Intelligence.


I'm keeping this one short. I completed a whirlwind trip to St. Louis and San Antonio about two in the morning, so I'd asked the team to author the blog before I got back. So until next week, I've got a wet hayfield to mow when the rain finally stops.

Need intelligence? Drop us a note.

So until next time,
Have a great week!