Recently I purchased a laptop as I was in a situation where I needed a backup laptop ASAP. I stumbled across a Lenovo Think-pad T450, Intel Core i5, 8GB (upgradable to 16GB) for a BARGAIN price of £120! It was an instant sell for me, I got the laptop home, a few blemishes and marks on the laptop, which is to be expected.
Having worked for both Blue Teams and Red Teams, I am automatically paranoid that everything is a potential threat. Given that instinctive feeling, I decided to dig into the laptop a little further (Please note at this stage, I have NOT joined the laptop to my home network). Typically, I like to go onto Task Manager and see what Processes are running in the background, I start scrolling down and then BINGO, we have a winner! I stumbled across a process called DarkComet.exe. This instantly rang alarm bells for me as I know this is a well-known RAT.
For those that don’t know what a RAT is, it stands for Remote Access Trojan (RAT). It is a type of malware that allows malicious actors/hackers to monitor and control your computer or network. And in our case, Dark Comet provides comprehensive capabilities over the infected machine (my machine). It was first identified in 2011 and still infects thousands of computers without being detected. Dark Comet uses Crypters to hide its existence from AV tools. It performs server malicious admin tasks such as disabling Task Manager and Windows Firewall.
At this point, I have already seen enough, I simply ended the Process from running. In these circumstances of buying a new laptop from a stranger, it is my advice to nuke the laptop and then re-build the laptop with a fresh install of Windows / Linux, so you know EXACTLY what is on your machine. Chaos avoided.
Woody is a staff penetration tester based in the UK and covering all of Europe. When not tester, Woody can be found in the gym and walking Barney, his companion pup.