Technical Analysis of DarkVNC [Monday, February 19, 2024]

DarkVNC is a hidden utility based on VNC technology, used for stealthy remote access. It was advertised in 2016 and received updates until 2017. Da...
Technical Analysis of DarkVNC [Monday, February 19, 2024]
Technical Analysis of DarkVNC

Technical Analysis of DarkVNC

Description :
DarkVNC is a hidden utility based on VNC technology, used for stealthy remote access. It was advertised in 2016 and received updates until 2017. DarkVNC has been used by threat actors associated with IcedID and SolarMarker campaigns. This analysis focuses on a DarkVNC sample that uses 'vncdll64.dll' for exporting functions. It generates a unique ID to send to the C2 server along with system info. DarkVNC can search for and manipulate windows related to the desktop environment. It can also control the state of devices like keyboard and mouse, and block user input. The malware gathers details on the Chrome browser install and runs cmd prompts. Detection and prevention controls like EDR solutions and training programs are recommended.

Published Created Modified
2024-02-19 12:25:42 2024-02-19 12:25:42 2024-02-19 12:47:07

Tags

Indicators

IPv4s : Malwares :
  • DarkVNC
  • SolarMarker
  • IcedID - S0483
Hashes :
  • bc2218649a1418f5da596a60ca08f030948a42a39c00818eed68e3eb922c7b94
  • b902ae479afafa74a85305859661798bce8aa704b2bbdde5ea86cc16e7327bf8
  • b01524be2b978cf4bf1a8c19ff0d60fc83f24d256a099efbe58fd15037326d41
  • d053f5c5e6fa4dd00d1e2dcb1e43b21e64ce99e6606c248f6fffd44cf8328c0e
  • ef6500e8a1743e01840063544cd4e880abcfe489283c0b32920f9347a77ac4e6
Intrusion set :
  • IcedID
MITRE ATT&CK Techniques :

External References

You can download the txt file containing the indicators by clicking on the button below:

About the author
Julien B.

Securitricks

Up-to-Date Cybersecurity Insights & Malware Reports

Securitricks

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to Securitricks.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.