
DarkVision RAT Deployed: Malware Campaign Targets Systems via PureCrypter – Strengthen Your Defenses Now
Indicators of Compromise
No domains found for this campaign
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
ID | Technique Name | Remediation |
Scheduled Task | Limit task creation to authorized users. Use Group Policies to restrict task scheduling, monitor scheduled tasks, and audit for unauthorized entries. | |
Registry Run Keys / Startup Folder | Monitor changes in registry keys and startup folders using endpoint detection tools. Restrict unauthorized users from modifying registry settings via GPO. | |
Process Injection | Deploy behavior-based detection systems to monitor API calls (NtCreateSection, NtMapViewOfSection). Use EDR tools and enforce application whitelisting. | |
Deobfuscate/Decode Files or Information | Implement monitoring tools to detect obfuscation or decoding activities. Use DLP solutions to prevent transfer of encoded data and monitor network traffic. | |
Disable or Modify Tools | Restrict modification of antivirus settings. Regularly audit Windows Defender exclusion lists and use tamper protection in security tools to block unauthorized changes. | |
Steal Web Session Cookie | Harden browser settings by enabling "SameSite" attributes. Enforce MFA for login sessions and block unauthorized browser plugins. | |
Application Window Discovery | Restrict access to system-level information. Use endpoint tools to monitor API calls related to window discovery. Limit user access to system processes. | |
Process Discovery | Limit process discovery to administrative users. Use EDR tools to monitor API calls associated with process enumeration and alert on suspicious activity. | |
System Information Discovery | Use endpoint protection to monitor access to system information. Implement RBAC (role-based access control) and regularly audit logs for unauthorized system scans. | |
File and Directory Discovery | Restrict file and directory access using ACLs (access control lists). Monitor access activities using logging and use DLP solutions for sensitive file protection. | |
Audio Capture | Limit microphone access to authorized applications only. Monitor for unauthorized microphone usage and audit logs regularly. | |
Video Capture | Use webcam privacy tools to notify users of unauthorized access. Restrict video capture access to trusted applications using endpoint protection. | |
Screen Capture | Deploy tools to detect unauthorized screen captures. Educate users on recognizing suspicious activity and audit logs for screen capture attempts. | |
Input Capture: Keylogging | Install anti-keylogging software. Use encrypted input methods for sensitive data and monitor for suspicious keylogging activities in system logs. | |
Remote Access Software | Disable or limit remote access software. Use MFA and network segmentation to protect remote access. Monitor VNC/hVNC traffic for unauthorized access. | |
Non-Standard Port | Monitor and block non-standard ports using firewalls and network monitoring tools. Implement strict port usage policies to allow only authorized traffic. | |
System Shutdown/Reboot | Restrict system shutdown/reboot permissions to administrative users. Monitor and alert on shutdown/reboot commands, particularly for critical systems. |