Threat Database Trojans Trojan.DarktrackRAT

Trojan.DarktrackRAT

By CagedTech in Trojans

Threat Scorecard

Threat Level: 80 % (High)
Infected Computers: 216
First Seen: August 31, 2016
Last Seen: September 23, 2022
OS(es) Affected: Windows

Trojan.DarktrackRAT is a detection name that many cybersecurity companies use in reference to an advanced Remote Access Trojan that may invade computers via corrupted free applications, pirated shareware and cracked games. Many samples of Trojan.DarktrackRAT shows the name 'Darktrack Client v4.1 Alien' in their file description properties. The DarktrackRAT malware is believed to have existed on the Dark Web since the end of 2016, and its developers have provided limited free versions of the program on the Dark Web. The main features of DarktrackRAT encompass the following:

  • Connections Manager — shows a brief preview of the active and inactive connections to infected machines.
  • Desktop Viewer — allows a threat actor to look at the victim's desktop, create files, delete and move files to existing directories.
  • OnConnect Command Editor — allows the threat actors to specify what commands the Trojan should run on first launch and what information should be reported back to the 'Command and Control' servers.
  • Maps Viewer — the tool is configured to display the location of infected machines using a custom map configuration in the legitimate Google Maps service online.
  • Auto Updater — a tool for pushing updated libraries to active infected hosts. The Auto Updater tool can drop update packages to remote computers and set up a delayed update from a file on the local disk or set up an update to be pulled from an infected site.
  • Network Stress Tester — a suite of tools that enable UDP and HTTP flooding that limits the network connectivity of targeted computers.

The DarktrackRAT program supports standard functionality you can expect from legitimate remote desktop utilities like TeamViewer and LogMeIn. Infected computers can be controlled remotely without alerting the active users. The DarktrackRAT allows threat actors to create, move and edit saved files; alter Registry entries; remove, install and run programs; search for files; print screen photos; track and record the content of the clipboard. Also, Trojan.DarktrackRAT can identify networked computers and extract files from shared folders. Surveillance features are supported by DarktrackRAT and include:

  • File Transfer Viewer for Skype — allows threat actors to copy files sent via Microsoft's Skype IM client.
  • Skype Contacts Viewer — allows threat actors to view the user's contacts.
  • Skype IM Log Viewer — threat actors can preview sent and received messages in the messaging client.
  • Audio/Video Recorder — the module records audio from the installed microphone to WAV format and can record video to an AVI container.
  • Webcam Streaming — threat actors can receive output in real time from installed cameras on infected devices.
  • Keylogging — a keylogger tool is loaded in the background and records the user's keyboard input.
  • Password Recovery Tool — the module allows DarktrackRAT to pull saved login information in Mozilla Firefox, Google Chrome, Chromium-based browsers, Microsoft Outlook and FileZilla.

Infected hosts are known to interact with the 'Command and Control' servers via port 1603 and connect to the 76.107.206.114 IP address. Compromised users may notice irregular movements of the mouse cursor, opening and closing of the DVD/CD tray, suspicious system sounds and increased CPU usage while the system appears to be idle. The DarktrackRAT clients may run on infected machines as 'server.exe' and 'unigen.exe.' It is recommended to remove DarktrackRAT using a reputable anti-malware service. The following detection names are employed by AV vendors regarding DarktrackRAT:

Artemis!23086989405E
Backdoor.Fynloski.S14021
Dropper.Agent.Win32.273977
TR/Spy.Gen
TrojWare.Win32.Trojan.Generic.36979330
Trojan ( 004f5ef11 )
Trojan.Generic.8157780
Trojan/Refroso.fne
Trojan:Win32/VB.AAW
W32/Generic.AP.1932E6!tr
Win32/TrojanDropper.Agent.POB
Win32:BackDoor-ACX [Trj]
malicious_confidence_100% (W

SpyHunter Detects & Remove Trojan.DarktrackRAT

File System Details

Trojan.DarktrackRAT may create the following file(s):
# File Name MD5 Detections
1. MScWord.exe 428855902fe48c17f8b40b2e539a0374 0
2. file.exe 57ba148785fdfad0802c807452313884 0
3. file.exe 9421293f0a45611fa45a23e25c876b9b 0

Registry Details

Trojan.DarktrackRAT may create the following registry entry or registry entries:
Regexp file mask
%APPDATA%\DtServ32w{0,1}.exe
Software\Microsoft\Windows\CurrentVersion\Run\DtServ32sm.exe

Trending

Most Viewed

Loading...