# whoami Kevin Breen @kevthehermit GCIA GREM GCFE Security+
Independent Researcher Part time blogger 2
Slide 3
What my friends think I do 3
Slide 4
What Work thinks I do 4
Slide 5
What I really do 5
Slide 6
Disclaimers Disclaimer One: All views expressed here are mine
and are not the views or opinions of my employer. Disclaimer Two: I
am not a lawyer. Disclaimer Three: Any use of the tools and
techniques described here are at your own discretion and I am not
responsible for your actions. Final Disclaimer: The Case Study data
that you will see was all generated in my Lab and not from a live
engagement. 6
Slide 7
Agenda What is DarkComet? Who Uses DarkComet? Defence: The
Usual Stuff Offensive: Discovery Traffic Load Testing AKA DOS
Remote File Read Case Study 7
Slide 8
The What & The Who ATTRIBUTION 8
Slide 9
What is DarkComet Remote Access Trojan (RAT) Free and Public
2008 Feature Rich File Access, Keylogger, Download and Execute,
WebCam, Audio, Fun Syrian Conflict No Longer Developed No Longer
Updated 9
Slide 10
Who uses Dark Comet Script Kiddies 10
Slide 11
Who uses Dark Comet Script Kiddies E Crime 11
https://heimdalsecurity.com/blog/darkcomet-rat-phishing-campaigns/
Slide 12
Who uses Dark Comet 12
https://heimdalsecurity.com/blog/darkcomet-rat-phishing-campaigns/
Slide 13
Who uses Dark Comet Script Kiddies E Crime 13
Slide 14
Who uses Dark Comet Script Kiddies E Crime 14
https://heimdalsecurity.com/blog/darkcomet-rat-phishing-campaigns/
Slide 15
Who uses Dark Comet Script Kiddies E Crime 15
http://www.ibtimes.co.uk/criminals-use-jesuischarlie-slogan-spread-darkcomet-malware-1483553
Slide 16
Who uses Dark Comet Script Kiddies E Crime Governments 16
Slide 17
Who uses Dark Comet Script Kiddies E Crime Governements 17
Traffic Load Testing Host + Port + Password Reverse Connection
Infected Host Sends Data Controller Trusts 27
Slide 28
DEMO GODS BE KIND DC_TRAFFICGENERATOR.PY 28
Slide 29
Remote File Read THE FUN STUFF 29
Slide 30
Remote File Read Credits 2012 Shawn Denbow @sdenbow_ Jesse
Hertz @hectohertz http://matasano.com/research/PEST-CONTROL.pdf
http://matasano.com/research/PEST-CONTROL.pdf What did they find?
You can request any file from the DC Controller: In the context of
the current user Full Path or Relative to the DC Folder 30
Slide 31
Remote File Read DEMO WINDOWS 31
Slide 32
Remote File Read DEMO KALI 32
Slide 33
Remote File Read 33
Slide 34
Remote File Read 34
Slide 35
Remote File Read 35
Slide 36
Remote File Read Remote Remotes 36
Slide 37
Remote File Read 37
Slide 38
Remote File Read 38
Slide 39
Remote File Read 39
Slide 40
Remote File Read 40
Slide 41
Remote File Read VNC Logs Windows Event Logs
C:\users\%USERNAME%\Appdata\Local\RealVNC\vncserver.log Linux
/var/log/vncserver-x11.log ~/.vnc/vncserver-x11.log
/var/log/vncserver-virtuald.log 41
Slide 42
Remote File Read Many more file paths Use Your Imagination
42
Slide 43
Questions ??? 43
Slide 44
Thanks for Listening All Tools -
https://github.com/kevthehermit/dc-toolkithttps://github.com/kevthehermit/dc-toolkit
My Blog https://techanarchy.nethttps://techanarchy.net My Slides My
Blog & Bsides @kevthehermit mailto: [email protected]
44