2018-11-05 DarkComet Malspam

Here is a quick writeup of some DarkComet RAT malspam that I was able to find this morning. The infection method is leveraging the standard RTF buffer overflow technique (CVE-2017-11882). For more information about what DarkComet is, please see the following link: http://www.contextis.com/en/blog/malware-analysis-dark-comet-rat All artifacts can be found over at my Github repo located here. I also have the memory dump post-infection saved here since it is too large for GitHub. Plus it gives me (and others) the ability to play with some memory forensics via Volatility. 😎 IOCs: ====== 209.90.88.141 / thinker101.5gbfree.com 23.227.201.154:1604 Artifacts: =========== File name: TYN NEW…

Continue reading