Recently I purchased a laptop as I was in a situation where I needed a back up laptop ASAP. I stumbled across a Lenovo Think-pad T450, Intel Core i5, 8GB (up-gradable to 16GB) for a BARGAIN price of £120! It was an instant sale for me, I got the laptop home, a few blemishes and marks on the laptop, which is to be expected.
Having worked for both Blue Teams and Red Teams, I am automatically paranoid that everything is a potential threat. Given that instinctive feeling, I decided to dig into the laptop a little further (Please not at this stage, I have NOT joined the laptop to my home network). Typically, I like to go onto Task Manager and see what Processes are running in the background, I start scrolling down and then BINGO, we have a winner! I stumbled across a process called DarkComet.exe. This instantly rang alarm bells for me as I know this is a well-known RAT.
For those that don’t know what a RAT is, it stands for Remote Access Trojan (RAT). It is a type of malware that allows malicious actors / hackers to monitor and control your computer or network. And in our case, Dark Comet provide comprehensive capabilities over the infected machine (my machine). It was first identified in 2011 and still infects thousands of computers without being detected. Dark Comet uses Crypters to hide it’s existence from AV tools. It performs server malicious admin tasks such as disabling Task Manger and Windows Firewall.
At this point, I have already seen enough, I simply ended the Process from running. In these circumstances of buying a new laptop from a stranger, it is my advice to nuke the laptop and then re-build the laptop with a fresh install of Windows / Linux, so you know EXACTLY what is on your machine. Chaos avoided.