How to Detect, Contain, and Eradicate the DarkKomet RAT: A Full Incident Response Walkthrough

Preparation Phase

Basic Information

DarkComet (also known as DarkKomet) is a remote‑access trojan (RAT) created by Jean‑Pierre Lesueur (DarkCoderSc) that began spreading in early 2012. It can capture webcam images, record microphone audio, and gain full control of infected machines.

The RAT is also known for its keylogging and file‑transfer capabilities, allowing attackers to upload arbitrary files, steal administrator credentials, system information, language, country, OS details, memory usage, webcam data, and documents. It disables Task Manager, Registry Editor, and folder options, and modifies registry keys to turn off Windows Firewall, enabling the malicious process to run undetected. Alias names include Fynloski, Krademok, DarkKomet, etc.

Key Functions

DarkKomet provides remote control, user‑behavior monitoring, a SYSTEM‑level backdoor, information theft, and the ability to download additional malware.

Propagation Method

The malware masquerades as the Synaptics Pointing Device Driver. After activation it scans the entire disk for .exe and .xlsx files, injects its shellcode into their icon resources, and overwrites the original files, achieving persistence and “resurrection” capability. Horizontal spread occurs via USB insertion, shared .xlsx files, and bundling with other remote‑control tools.

Detection Phase

The response system at HuoLala uses a hybrid detection engine driven by TTPs, outlier data, antivirus events, and threat‑intel feeds. EDR collected full startup‑item data from endpoints, combined with threat‑intel APIs to perform minute‑level baseline scans. High‑severity alerts are sent via webhook to instant‑messaging for real‑time handling and are aggregated into a single incident through multiple alerts.

Detection workflow:

EDR gathers startup entries and compares them against known IOC/TTP patterns.

Webhook pushes alerts to security operators, who drill down into the incident.

IOC/TTP signatures are added to EDR for real‑time blocking, completing a detection‑to‑prevention loop.

Suppression Phase

Containment actions included:

Blocking the C2 domain and IP to cut off communication.

Remote forensic tracing to capture TTP details.

Eradication Phase

Removing Persistence

The malware uses a Run‑key entry for auto‑start. Deleting the Run‑key removes the persistence mechanism.

Killing Malicious Processes

Two processes named Synaptics.exe were terminated.

Deleting Malicious Files

Investigation of the DarkKomet directory revealed only a WS folder with hidden files. By disabling “Hide protected operating system files” and enabling “Show hidden files”, the hidden Synaptics.exe became visible and could be deleted. Deletion required SYSTEM privileges; the file’s owner and ACL were changed to administrator before removal.

Root‑Cause Tracing

Forensic analysis of a log entry from 2022‑05‑17 16:29:30 showed a suspicious file path on drive F. The user’s machine only had C, D, and E drives, suggesting an external USB drive. The USB was likely inserted during a printer installation, delivering the virus which then copied itself to C:\ProgramData\Synaptics\Synaptics.exe and added a Run‑key entry.

Further MFT‑time analysis identified all files created/modified between 16:29:30 and 16:29:40 on 2022‑05‑17, confirming additional infected files.

Recovery Phase

Clean infected "_cache_" files.

Integrate IOC/TTP signatures into EDR and antivirus, then verify that attacks are blocked in real time.

Force affected users to change passwords.

Summary Phase

IOC

DNS: xred.mooo.com

IP: 69.42.215.252

TTP

Historical Incidents

Multiple cases were observed where a third‑party printer installation introduced a USB drive containing the DarkKomet/Synaptics virus, leading to infection of dozens of processes and files on the C drive. Other infection vectors included:

Downloading a compromised remote‑desktop tool (todesk) that was actually a new Synaptics variant.

Downloading cracked CAD software bundled with the latest Synaptics malware.

The current wave of Synaptics incidents primarily spreads via USB drives and software bundling. The hallmark is an unsigned process C:\ProgramData\Synaptics\Synaptics.exe persisting through a Run‑key entry.

To mitigate future threats, organizations should enforce strict validation of software signatures for frequently installed browsers, IM clients, DevOps tools, and remote‑control utilities, and conduct threat hunting on anomalous data. Combining external and internal threat intelligence to build a filtering net, snapshotting startup entries, and regularly cleaning unknown or high‑risk persistence data will raise attacker costs and improve detection and blocking of unknown attacks.