Technical Details for C2 Tool “Dark Utilities” Leveraged in Malware Campaigns

New C2 tool lowers the technical barrier for use, enabling over 3,000 active users to execute sophisticated cyberattacks without requiring significant skill or resources.
Image of bad actor at laptop

Context

On August 4, 2022, Cisco Talos Intelligence researchers reported new technical details of a tool called “Dark Utilities” that provides a full suite of command-and-control (C2) capabilities for threat actors. The tool, which was released in early 2022, is advertised by creators as enabling remote access, command execution, distributed denial-of-service (DDoS) attacks, and cryptomining capabilities. Talos researchers state multiple malware samples leveraging the “Dark Utilities” platform have been observed in the wild, primarily for remote access and cryptomining operations. The simplicity, low cost, and user-friendliness of the tool make it ideal for amplifying the attack capabilities of otherwise low-skilled/under-resourced threat actors.

Technical Details

The platform includes payloads to be executed on target systems which register the target with the service and establish C2 communications. The platform supports Windows, Linux, and Python payloads, and creators are currently working to provide operating system (OS) and architecture support to enhance the tool’s functionality. Talos researchers reported more than 3,000 registered users on the platform. Users authenticate to Dar Utilities via Discord, after which they are granted access to a dashboard display with platform statistics and server information. The intuitive user interface is easy for low-skilled threat actors to leverage in attacks.

An administrative panel is available on the tool for users to operate bots registered with the platform, with built in modules for DDoS attacks, cryptomining, and command execution. Dark Utilities supports both Layer 4 and Layer 7 DDoS attacks, each with multiple methods including but not limited to: TCP, ICMP, GET, HEAD, and Post.

For cryptocurrency mining, the tool leverages pool[.]hashvault[.]pro to mine Monero. The only manual action required of the threat actor is entering the Monero wallet address for cryptocurrency to be directed. For command execution, the platform also includes a simple module and a Discord grabber that can run on multiple systems at once.

Creator Details

Talos researchers attribute the creation and maintenance of Dark Utilities to an actor under the name Inplex-sys, which appears to be a French and English-speaking actor with a short history in the dark web community. However, it is possible that multiple actors are behind the platform and the Inplex-sys persona is simply the front used to advertise and operate the tool on the user-facing side.

IOCs

Talos researchers provided the following indicators of compromise (IOCs) for malware campaigns observed using the Dark Utilities platform:

Indicator Type Notes
09fd574a005f800e6eb37d7e2a3ca640d3ac3ac7dbbde42cbe85aa9e877c1f7f SHA256 Hash from malware campaign leveraging Dark Utilities
0a351f3c9fb0add1397a8e984801061ded0802a3c45d9a5fc7098e806011a464 SHA256 Hash from malware campaign leveraging Dark Utilities
0d76fa68b7d788b37c9e0368222819a9ea3f53c70de61e5899cfbeff4b77b928 SHA256 Hash from malware campaign leveraging Dark Utilities
1e6e0918d2c93d452d9b3fbcac2cb3202ae3d97394eae6239c2d112791ec8260 SHA256 Hash from malware campaign leveraging Dark Utilities
240d2029d6f1ca1ee8b5c2d5f0aa862724502f71c48d5544ee053def4c0d83ec SHA256 Hash from malware campaign leveraging Dark Utilities
24a5f9a37ed983e9377e0a5c7c5e20db279e3f1bd62acbd7a038fd75b1686617 SHA256 Hash from malware campaign leveraging Dark Utilities
2e377087d0d2cb90b631ab0543f60d3d5d56db8af858cf625e7a9a26c8726585 SHA256 Hash from malware campaign leveraging Dark Utilities
2edc356fe59c53ce6232707ae32e15e223c85bbaef5ed6a4767d5c216c3fd4e7 SHA256 Hash from malware campaign leveraging Dark Utilities
36a1b2c71afe03cc7a0f8eb96b987283bf174eafaade62c20ec8fd6c1b0c1d93 SHA256 Hash from malware campaign leveraging Dark Utilities
38ee6cc72b373228f7ffddbbf0f78734f85600d84095b057651028472777bde8 SHA256 Hash from malware campaign leveraging Dark Utilities
41a7d1fa7c70a82656d2fa971befd8fa47a16815a30ff3f671794b0377d886b3 SHA256 Hash from malware campaign leveraging Dark Utilities
464864cf0c19885d867fdeebec68d72adb72d91910d39f5fc0d0a9c4e3b7ea53 SHA256 Hash from malware campaign leveraging Dark Utilities
4c252e74d77d50263430c388c08dc522aaeb15ef440c453b2876330a392b85de SHA256 Hash from malware campaign leveraging Dark Utilities
4d471cf939cc9d483587b74c0ffebed1b8a3f198d626e4a08d93d689f98122c8 SHA256 Hash from malware campaign leveraging Dark Utilities
50d0f98b17ca7d37dc8cd70cca2bad4c920b2bb1c059292fe6d203e94716f9bf SHA256 Hash from malware campaign leveraging Dark Utilities
52ad5431eeac730b3ff3cfd555d7d6f3fd4b127c9f2d7aa02fc64e48c2eb0ff5 SHA256 Hash from malware campaign leveraging Dark Utilities
52ba9b0afe0d13957f7f49383b2c1d106e17b4a42c3819973d9862ded7559310 SHA256 Hash from malware campaign leveraging Dark Utilities
5537a103aebc9237ba6dbc208c4a72c9944fb5de5b676ec684bd4f08b2c49fe7 SHA256 Hash from malware campaign leveraging Dark Utilities
645190d1702b309b3db5fbbad7ac747afb57fd8119daf39f17f5b5b5868fb136 SHA256 Hash from malware campaign leveraging Dark Utilities
646b798f9a3251e44703b6e72858dbb854b9d4fb8553fe1e387903b06f4bfe50 SHA256 Hash from malware campaign leveraging Dark Utilities
65a1b3fb9430c7342d13f79b460b2cc7d9f9ddced2aeecd37f2862a67083e68c SHA256 Hash from malware campaign leveraging Dark Utilities
6aa4dceb8c7b468fed2fa1c0b275a0bc4b1500325a3ad42576e7b3b98218614f SHA256 Hash from malware campaign leveraging Dark Utilities
6b5b632f9db3a10cf893c496acbf8aecf460c75353af175ab3d90b9af84d4ca3 SHA256 Hash from malware campaign leveraging Dark Utilities
6c29ff8b0fae690356f85138b843ea2e2202e115e4b1213d96372b9eeef4f42c SHA256 Hash from malware campaign leveraging Dark Utilities
6ca488cfbee32e4ea6af8a43b1e0b1a09c8653db7780aa5ff3661e1da31d751a SHA256 Hash from malware campaign leveraging Dark Utilities
70706788666c7190803d6760e857e40d076ae69dc6cc172f517a46d8107127e6 SHA256 Hash from malware campaign leveraging Dark Utilities
72de1dafc8517aa82578b53518959642dc1aede81fc2da9fe01b5070100560d6 SHA256 Hash from malware campaign leveraging Dark Utilities
74984b6e514a4b77f20ed65a8b490313cbf80319eb3310ed8bca76f83e449564 SHA256 Hash from malware campaign leveraging Dark Utilities
755e02e1cc3357ec78a218347e4b40aa81783f01658cdf9fc0558e21d2d982ad SHA256 Hash from malware campaign leveraging Dark Utilities
7e183f6c9e69535324f5e05bea3fde54a3151c9433717a9111bde6423eaee192 SHA256 Hash from malware campaign leveraging Dark Utilities
83fd0ced1eaf5f671c3837592684fb04a386649d2eaa12aa525fb73ac3b94a1a SHA256 Hash from malware campaign leveraging Dark Utilities
8c59a3125891d8864f385724cd2412e099b88d1a9023a63fd61944ad0f4631d1 SHA256 Hash from malware campaign leveraging Dark Utilities
92aa81228137d571be956045cf673603e994c5e6d1a35559881e34b99e1e01fa SHA256 Hash from malware campaign leveraging Dark Utilities
9d82b17a781835d1f2101e08a628fd834d05fabd53750fee8a0e5565dbdc7842 SHA256 Hash from malware campaign leveraging Dark Utilities
9e7fd31dfd530a8df90b80c4ae8ca89484e204a8c036125324cd39aa5cd8b562 SHA256 Hash from malware campaign leveraging Dark Utilities
a2e17c802369254de783115c1c47ddb2ae0e117d3f4be99a8d528f50f7a55e5d SHA256 Hash from malware campaign leveraging Dark Utilities
a8fda5e327d5f66a96657cb54d229f029e8e468aac30707331c77dbc53a0e82b SHA256 Hash from malware campaign leveraging Dark Utilities
ad50c79f66f6a7b7d8db43105fc931b7f74e1c9efb97e0867cafb373834e88ce SHA256 Hash from malware campaign leveraging Dark Utilities
b0f1d43105a2d2b9efb2f36141eaf3f57dc6d7b1593bb31c5a8710614a08c8cc SHA256 Hash from malware campaign leveraging Dark Utilities
b291dd56fc5b56d534c763f2d16d2ad340d6fbb735425d635af3fa0063063698 SHA256 Hash from malware campaign leveraging Dark Utilities
c1cba31a9eb73ea745f5cda1bdf84dc91734821e0899af058ecad5b1e458936c SHA256 Hash from malware campaign leveraging Dark Utilities
c9deeda7cd7adb4ff584d13ea64cdb50c9e8b5c616f1dff476f372e86c9b9be6 SHA256 Hash from malware campaign leveraging Dark Utilities
cacab4c0e3af52bb7f620efc8f676b74caf1dc51983596e6a4a2ac50c5f39528 SHA256 Hash from malware campaign leveraging Dark Utilities
cd663bbe19ef09b76572cb6960d69e78639aad55b38758597d16deb3a541519f SHA256 Hash from malware campaign leveraging Dark Utilities
cf4491029155a703195104cab5fdf314dc1b14b520b2305e66b67e78e240b43c SHA256 Hash from malware campaign leveraging Dark Utilities
df6685c4d90ee92854eb7ab91b26eda43933a1a3a8ac3eefc957b1359faa8bea SHA256 Hash from malware campaign leveraging Dark Utilities
e32d67b7d62bcaf06618794c0f93e31a03d3b2735d0af191a09092aa4512a37a SHA256 Hash from malware campaign leveraging Dark Utilities
e4caf4131dc51c6f44bc75a26061623da269bf20a255c62f5b4a4ab934c7da53 SHA256 Hash from malware campaign leveraging Dark Utilities
e4eacbcd8ee561f073de7819d84e885c8a1d58614c052c135240783b078e164a SHA256 Hash from malware campaign leveraging Dark Utilities
ed9d7558433a9d4fe0b6f632b8f3376aec26fb2a23d6cf2fe1d39c17a544ef39 SHA256 Hash from malware campaign leveraging Dark Utilities
f6f376c7b1f78fbf2354d2a908ef4ea17bf5e05d0c98af13052d1bc678ae2ebd SHA256 Hash from malware campaign leveraging Dark Utilities
b11e566bd9f76563be3e53b1d5b49a2abc84bc89d361b58cb9f7ba85600ddea4 SHA256 Hash from malware campaign leveraging Dark Utilities
dark-utilities[.]xyz Domain Domain from malware campaign leveraging Dark Utilities
dark-utilities[.]pw Domain Domain from malware campaign leveraging Dark Utilities
dark-utilities[.]me Domain Domain from malware campaign leveraging Dark Utilities
ijfcm7bu6ocerxsfq56ka3dtdanunyp4ytwk745b54agtravj2wr2qqd[.]onion[.]pet Domain Domain from malware campaign leveraging Dark Utilities
bafybeidravcab5p3acvthxtwosm4rfpl4yypwwm52s7sazgxaezfzn5xn4[.]ipfs[.]infura-ipfs[.]io Domain Domain from malware campaign leveraging Dark Utilities

 

More Recent Blog Posts