Darkmoon
Darkmoon is a RAT (or Remote Administration Trojan) that gives third parties control over your computer based on a simple client interface. Features boasted by Darkmoon include both general backdoor functions and specialized information-theft attacks, along with distribution methods that conceal its installers as unrelated files (such as torrents). Despite its breadth of potential aggression, Darkmoon has no meaningful symptoms linked to its presence; removing Darkmoon should use anti-malware products that are well-versed in identifying stealth-based threats.
A Weather Report that's nothing But Trojans
While Darkmoon (also labeled as PoisonIvy/Breut) has all of the characteristics to classify Darkmoon as a backdoor Trojan or spyware, the ease of use of its comprehensive attack interface makes Darkmoon primarily identifiable as a RAT. RATs like Darkmoon, Jack Trojan and Ghost Radmin sometimes are installed by Trojan droppers and downloaders, with installers that may be disguised as everything from fake movie files to documents with embedded memory buffer-based exploits. Darkmoon is available to the general public on the black market, with some individual details – such as what disguise its installer uses – up to the individual ill-minded client. Axiom, a group of hackers specializing in cyber espionage of targets that oppose Chinese state interests, is one of Darkmoon's most high-name clients.
Regardless of the identity of the third parties controlling it, Darkmoon uses a straightforward Windows interface to enable most of its attacks. Examples of these functions include keylogging (recording your keyboard input), forcing non-consensual reboots, turning on and viewing your webcam, modifying the Registry, taking screen captures and terminating programs arbitrarily. Like many RATs, Darkmoon inhabits dual roles by allowing third parties to exert direct control over an infected PC, while also providing specialized features for monitoring, recording and uploading stolen information in multiple formats.
Easily Eclipsing a Darkmoon Attack
Darkmoon includes a file-bundling function that allows its installer to conceal within unrelated files. These methods of infection may be employed by third parties interested in infecting general, non-specific targets, such as users of illegal software sites. However, groups like Axiom, known for targeting defense contractors, infrastructure companies and equally-specific aims, frequently prefer using e-mail file attachments as reliable installers. Using anti-malware products to scan any files under suspicion of harboring Darkmoon should be adequate for preventing either infection method from succeeding.
Darkmoon is designed to avoid standing out, and will not show any visible symptoms, unless its user is careless. The prolonged existence of Darkmoon and equally-stealthy backdoor Trojans as fixtures of the threat black market causes malware researchers to recommend routine anti-malware scans for virtually all PC owners. Verifying that your computer is uninfected, rather than hoping it is, may be the only way to catch a threat like Darkmoon before important information may land in unsafe hands.
File System Modifications
- The following files were created in the system:
# File Name 1 ___.exe 2 mydll.exe 3 win32.exe 4 yxgunlzu.d1l 5 yxgunlzu.sys
Registry Modifications
- The following newly produced Registry Values are:
HKEY..\..\..\..{RegistryKeys}HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunMicrosoft=%Windir%@@@win32.exeHKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumRootLEGACY_YXGUNLZUHKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesYxgunlzuHKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesdmserverParametersServiceDll=%System%yxgunlzu.d1l
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.