A 42-year-old arrested by Ukraine police for infecting thousands of computer from 50 countries around the world using DarkComet RAT.
Ukraine police found an modified administrator version of the RAT installed on his computer and he distributed the client version of RAT.
The DarkComet RAT is capable of providing complete remote access to the infected computers, keystroke logging, file system access, spy on webcam, microphone, clipboard monitor, disable OS features, steal passwords and take screenshots.
The first version of DarkComet released in 2008 and now at version 4, it is a popular tool used by cybercriminals to gain remote access over the compromised machines. It is an all-in-one administration tool.
Ukraine cyberpolice specialists detected that an administrator-panel installed on his computer contains access to the computer infected by the RAT, its installation files, and controls to take a screenshot of victim machines.
How to Check That you are Infected – DarkComet RAT
Ukraine police provided instructions of how to check for the infection
Press the Windows key and R to bring the command
Type cmd and hit enter
In your command prompt type netstat -nao and enter, it will display active TCP connections, ports, and the process ID for each connection.
In the list of connection check for the connection to host 18.104.22.168 on port 1604 or 81.
If you find any connection with specified IP address then you will be infected with DarkComet RAT campaign, to mitigate victims would reinstall operating systems, use an antivirus or can contact information security professions for recovery.