Technical Details for C2 Tool “Dark Utilities” Leveraged in Malware Campaigns

Context

On August 4, 2022, Cisco Talos Intelligence researchers reported new technical details of a tool called “Dark Utilities” that provides a full suite of command-and-control (C2) capabilities for threat actors. The tool, which was released in early 2022, is advertised by creators as enabling remote access, command execution, distributed denial-of-service (DDoS) attacks, and cryptomining capabilities. Talos researchers state multiple malware samples leveraging the “Dark Utilities” platform have been observed in the wild, primarily for remote access and cryptomining operations. The simplicity, low cost, and user-friendliness of the tool make it ideal for amplifying the attack capabilities of otherwise low-skilled/under-resourced threat actors.

Technical Details

The platform includes payloads to be executed on target systems which register the target with the service and establish C2 communications. The platform supports Windows, Linux, and Python payloads, and creators are currently working to provide operating system (OS) and architecture support to enhance the tool’s functionality. Talos researchers reported more than 3,000 registered users on the platform. Users authenticate to Dar Utilities via Discord, after which they are granted access to a dashboard display with platform statistics and server information. The intuitive user interface is easy for low-skilled threat actors to leverage in attacks.

An administrative panel is available on the tool for users to operate bots registered with the platform, with built in modules for DDoS attacks, cryptomining, and command execution. Dark Utilities supports both Layer 4 and Layer 7 DDoS attacks, each with multiple methods including but not limited to: TCP, ICMP, GET, HEAD, and Post.

For cryptocurrency mining, the tool leverages pool[.]hashvault[.]pro to mine Monero. The only manual action required of the threat actor is entering the Monero wallet address for cryptocurrency to be directed. For command execution, the platform also includes a simple module and a Discord grabber that can run on multiple systems at once.

Creator Details

Talos researchers attribute the creation and maintenance of Dark Utilities to an actor under the name Inplex-sys, which appears to be a French and English-speaking actor with a short history in the dark web community. However, it is possible that multiple actors are behind the platform and the Inplex-sys persona is simply the front used to advertise and operate the tool on the user-facing side.

IOCs

Talos researchers provided the following indicators of compromise (IOCs) for malware campaigns observed using the Dark Utilities platform: