Police in Ukraine have arrested a man who allegedly used a notorious Remote Access Trojan (RAT) to target thousands of users around the world.
A statement from the Ukrainian National Police on Friday said that cyber specialists on the force cuffed a 42-year-old man from Lviv on suspicion of using the DarkComet malware.
He’s said to have infected 2000 computers in 50 countries around the world.
On searching his machines, the police found the man installed "a Trojan virus administration program on his computer and modified it to send out client versions of the virus,” according to the statement.
These ‘clients’ are used to harvest data from infected machines. The malware has been around for at least six years and was even used by the Syrian regime to spy on activists and opposition groups.
It features multiple capabilities including keylogging, password and document theft, webcam monitoring, taking screenshots of the victim’s machine, and even disabling AV notification settings.
“The cyber police specialists analyzed the malware. It is found that the virus provides full remote access to controlled computers. In particular — the ability to download and upload files, manage startup and services, remotely manage the registry, install and remove programs, take screenshots from the remote screen, intercept microphone sound and video from embedded or external cameras,” the statement continued.
Perhaps most incriminating of all, the police found screenshots of infected victim computers on the arrested man’s machine.
Ukrainian police also issued a series of steps for users to take to check if their computer has been infected with DarkComet.
This involves checking if the machine is trying to communicate with IP address 193.53.83.233 on port 1604 or 81.
If so, they’re urged to use anti-malware program to remove the infection.