A new malspam campaign is underway that pretends to be shipping documents and contains an attachment that installs the DarkComet remote access Trojan. When DarkComet is installed, the malware has the ability to log your keystrokes, application usage, take screenshots, and more.
As this remote access Trojan, or RAT, can steal a significant amount of information from an infected computer, it is important to be aware of threats like this so you do not mistakenly become infected.
BleepingComputer was first alerted to this campaign by security researcher Vishal Thakur who spotted the email and analyzed the malware. These emails will have subjects that are similar to "Shipping docs#330" and pretend to be shipping documents awaiting the recipient's approval.
You can see an example of the malspam below.
Included in the emails are .z attachments with names like DOC000YUT600.pdf.z. Inside this attachment is a file named DOC000YUT600.scr, which when executed will install the DarkComet RAT onto the computer.
When installed, the RAT will be installed as %UserProfile%\Music\regdrv.exe and %UserProfile%\Videos\Regdriver.exe. An autorun will also be created called "Registry Driver" that will launch the Regdriver.exe executable when a user logs into Windows.
Once running, DarkComet will start logging application usage and keyboard activity and save it into log files located in the %UserProfile%\AppData\Roaming\dclogs\ folder. These files will be uploaded to the attacker at various intervals.
You can see an example of a DarkComet log file below.
While running, the attacker can also connect to your computer to execute commands, chat with you, take screenshots of your active windows, and perform other activities. This could then allow them to see sensitive images or documents, which could then be used against you.
As always, to protect yourself from threats like DarkComet, always make sure you have an updated security software installed on your computer that provides real-time protection. Furthermore, never open attachments unless you know the sender and have confirmed that they have actually sent you the email.
Even then, I strongly suggest you scan all attachments with VirusTotal to make sure that you are not opening a malicious document or file.