Backdoor.Win32.DarkKomet

Publication Date 09/29/2015
Class Backdoor
Platform Win32
Description

Malware in this family consists of DarkComet, a program designed for remotely controlling or administering a victim computer. The connection parameters are encrypted in the program’s executable class=”most_attacked_countries”.

The program performs the following functions:

  • Obtaining information about the infected computer.
  • Controlling processes.
  • Interpreting commands sent remotely.
  • Obtaining a list of windows.
  • Providing remote desktop access.
  • Deleting programs.
  • Managing system services.
  • Modifying the system registry.
  • Running JavaScript / VBScript scripts sent remotely.
  • Modifying files via the built-in file manager.
  • Capturing video and audio from a webcam or microphone.
  • Saving keystrokes to a file (keystroke information is not encrypted and is stored in the folder %APPDATA%dclogs in files with the name format YY-MM-DD.dc).
  • Acting as a SOCKS proxy server.
  • Redirecting IP addresses and ports.
  • Capturing clipboard contents.
  • Shutting off and restarting the operating system.
  • Downloading, sending, and running files.
  • Sending keystroke logs to a remote FTP server.

Geographical distribution of attacks by the Backdoor.Win32.DarkKomet family

darkkometimgrus-2

Geographical distribution of attacks during the period from 24 July 2014 to 27 July 2015

Top 10 countries with most attacked users (% of total attacks)

Country % of users attacked worldwide*
1 Russia 21.95
2 India 5.43
3 Germany 5.31
4 Vietnam 4.53
5 USA 4.33
6 Turkey 3.96
7 United Arab Emirates 2.91
8 Ukraine 2.57
9 France 2.26
10 Italy 2.11

* Percentage among all unique Kaspersky Lab users worldwide who were attacked by this malware