U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Cyber Crime

Criminals exploited “Je suis Charlie” to spread Darkcomet malware

Security experts at Blue Coat have discovered that criminal criminals exploited the hashtag #JeSuisCharlie in order to spread the popular DarkComet RAT. Every time there is a clamorous event cyber criminals try to take advantage of the people’s interest to run illegal activities, it is happened recently with the incident to the Air Asia Flight and is […]

Criminals exploited “Je suis Charlie” to spread Darkcomet malware

Security experts at Blue Coat have discovered that criminal criminals exploited the hashtag #JeSuisCharlie in order to spread the popular DarkComet RAT.

Every time there is a clamorous event cyber criminals try to take advantage of the people’s interest to run illegal activities, it is happened recently with the incident to the Air Asia Flight and is happening with the terroristic attack on the Charlie Hebdo.

You have to consider that not only ordinary people search for this kind of info, also journalists and cyber experts like me constantly monitor social media and the web to search information that could be useful for investigation of specific cases and to track profile of the attackers.

Security experts at Blue Coat have discovered that criminal criminals exploited the hashtag #JeSuisCharlie in order to spread malicious links that was distributing the popular DarkComet RAT. RAT malware like DarkComet are used by criminals and some government entities to take control of the victims’ machine.

DarkComet was created by the French hacker Jean-Pierre Lesueur, also known as DarkcoderSc, which stopped development of the RAT in 2012 because he discovered that the Syrian Government was used it to persecute dissident.

“The malware in question is the infamous DarkComet RAT (aka Fynloski), a freely available remote administration tool which also can double as a powerful backdoor trojan.”states Blue Coat in a Blog post. “The variant used in the present attack is obfuscated to make it less noticed by AV scanners. The DarkComet Delphi code is enveloped in a .NET wrapper, making the telltale signs of DarkComet hard to spot. Indeed, the AV detection rate of this executable is at the time of writing poor – only 2/53 scanners had detection on the VirusTotal online scanner service.” 

blog darkcomet

The criminals exploited the popular social media Twitter to share the malicious, the hashtag became was one of the top of the Internet in the wake of the 7 January attack on the Charlie Hebdo magazine in Paris.

Social Media experts estimated that it has been tweeted million times to date, an excellent opportunity for threat actors to spread malware, including the popular DarkComet RAT.

The variant discovered by the researchers at Blue Coat drops a copy of itself with the name svchost.exe and displays the image of a new-born baby with a band carrying the name “Je suis Charlie”.

Darkcomet Je suis Charlie

Malware authors tried to obfuscate the malicious code to evade detection mechanisms, Blue Coat reports that the sample it has analyzed are detected only by two of 53 AV used by the VirusTotalonline scanner service.

At the moment, the researchers have identified a unique Command and Control server host is a subdomain under the no-ip dynamic DNS domain, the legitimate dynamic DNS service that is often used by malware authors.

“The actual domain address is: snakes63.no-ip[.]org 

This address currently resolves to an IP address located with the French service provider Orange. The French IP address and the error message in French reinforces the impression that this malware was targeted at French users, though we have no indication as to who the attackers are or what they are after. We have anyhow informed the French authorities about this malware.” state Blue Coat

Unfortunately, there is no indication of the extent of the malicious #JeSuisCharlie campaign based on DarkComet agent.

It is likely that criminals will continue to exploit social media and phishing campaign to spread DarkComet and many other malware variants, be careful in your online experience adopting the best practices that every time I suggest you.

 

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – #JeSuisCharlie, DarkComet)

[adrotate banner=”5″]

[adrotate banner=”13″]