Technical Analysis of DarkVNC
DarkVNC is a hidden utility based on VNC technology used for stealthy remote access. It was advertised in 2016 and received updates until 2017. DarkVNC has been used by threat actors associated with IcedID and SolarMarker campaigns. This analysis focuses on a DarkVNC sample that uses vncdll64.dll for exporting functions. It generates a unique ID to send to the C2 server along with system info. DarkVNC can search for and manipulate windows related to the desktop environment. It can also control the state of devices like keyboard and mouse and block user input. The malware gathers details on the Chrome browser install and runs cmd prompts. Detection and prevention controls like EDR solutions and training programs are recommended.