Malware in this family consists of DarkComet, a program designed for remotely controlling or administering a victim computer. The connection parameters are encrypted in the program’s executable class=”most_attacked_countries”.
The program performs the following functions:
- Obtaining information about the infected computer.
- Controlling processes.
- Interpreting commands sent remotely.
- Obtaining a list of windows.
- Providing remote desktop access.
- Deleting programs.
- Managing system services.
- Modifying the system registry.
- Modifying files via the built-in file manager.
- Capturing video and audio from a webcam or microphone.
- Saving keystrokes to a file (keystroke information is not encrypted and is stored in the folder %APPDATA%dclogs in files with the name format YY-MM-DD.dc).
- Acting as a SOCKS proxy server.
- Redirecting IP addresses and ports.
- Capturing clipboard contents.
- Shutting off and restarting the operating system.
- Downloading, sending, and running files.
- Sending keystroke logs to a remote FTP server.
Geographical distribution of attacks by the Backdoor.Win32.DarkKomet family
Geographical distribution of attacks during the period from 24 July 2014 to 27 July 2015
Top 10 countries with most attacked users (% of total attacks)
||% of users attacked worldwide*
||United Arab Emirates
* Percentage among all unique Kaspersky Lab users worldwide who were attacked by this malware