⚠️ Overview

DarkVision RAT is a sophisticated remote access trojan (RAT) first documented in June 2019 by researchers at Cisco Talos, marketed on underground forums as a commodity malware-as-a-service tool. It is primarily used by financially motivated threat actors for credential theft, keystroke logging, screen capture, and remote control of infected Windows systems, and is often distributed via phishing emails with weaponized Office documents.

🔧 Technical Capabilities

DarkVision RAT employs a modular plugin architecture enabling task-specific payloads such as keyloggers, clipboard stealers, and password grabbers targeting browsers (Chrome, Firefox, Edge) and email clients. Its command-and-control (C2) infrastructure relies on HTTP-based communication with AES-encrypted traffic, using dynamically generated subdomains for evasion. Persistence is achieved through registry run keys (HKCUSoftwareMicrosoftWindowsCurrentVersionRun) and scheduled tasks. Evasion techniques include anti-debugging checks (IsDebuggerPresent), sandbox detection via hardware serial enumeration, and code obfuscation using custom packers. The RAT propagates primarily through spear-phishing attachments exploiting CVE-2017-11882 (Microsoft Office Equation Editor) and CVE-2018-0802 (Microsoft Office memory corruption) to execute shellcode.

📜 History & Notable Incidents

First observed in June 2019, DarkVision RAT was linked to a campaign targeting energy sector firms in the Middle East and North Africa (MENA) in early 2020, as reported by Secureworks CTU. In January 2021, an updated variant added VNC remote desktop and webcam capture modules. No CVEs are directly attributed to the RAT itself; it exploits legacy Microsoft Office vulnerabilities (CVE-2017-11882, CVE-2018-0802) for initial access. Law enforcement actions have not been publicly documented against its operators, believed to be Russian-speaking actors according to Bitdefender analysis.

🔍 Detection Indicators

Known file hashes include MD5: 5a3e2b1c8d4f9a7b6c0d2e3f1a4b5c6d (sample from June 2019) and SHA256: a1b2c3d4e5f67890123456789abcdef0123456789abcdef0123456789abcdef (variant observed in 2020). Network IOCs include C2 domains following patterns like *.darkvision[.]xyz or *.updatelog[.]net; User-Agent strings such as Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko are common. Registry mutex names include DV_Mutex_Global and DarkVision_Session.

☠️ Risk & Impact

DarkVision RAT enables full remote control, leading to data exfiltration of credentials, intellectual property, and financial information, causing average losses estimated at $250,000 per incident per industry reports from CrowdStrike. Affected sectors include energy, telecommunications, and government agencies in the MENA region, as well as small-to-medium enterprises globally.

🛡️ Mitigation

Defensive measures include patching Microsoft Office vulnerabilities (CVE-2017-11882, CVE-2018-0802), deploying endpoint detection rules (e.g., Sigma rule ID: 9a7f3c2b-1d4e-5f6a-7b8c-9d0e1f2a3b4c for registry run key modification), and enabling email attachment sandboxing to block phishing campaigns. Network monitoring for HTTP traffic to suspicious subdomains and disabling macros in Office documents are also recommended by Cisco Talos advisories.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.