Last Updated: 2022-11-02 05:07:52 UTC
by Brad Duncan (Version: 1)
VNC is an acronym for Virtual Network Computing. It is a way of controlling a computer remotely from another computer. VNC is similar to a Remote Access Tool (RAT). But unlike a RAT, VNC is a cross-platform screen sharing system that allows full keyboard and visual control, as if you were physically present at the remote host.
During the past year or so, I've referred to any VNC activity I've run across as DarkVNC. But not all VNC traffic is necessarily DarkVNC, so let's figure out who put the "Dark" in DarkVNC. To answer that question, this diary reviews VNC-based malware samples and activity since 2013.
VirusTotal's first DarkVNC sample
VirusTotal's sandbox C2AE will flag certain samples with tags indicating various malware families. One such flag is RAT (DarkVNC). This is a searchable flag for people with a VirusTotal Intelligence subscription. The first DarkVNC-flagged sample was submitted to VirusTotal on 2013-04-03. This sample shows a creation date of 2012-12-24. The SHA256 hash is:
I found my first DarkVNC sample in 2017 as one of the payloads from a Terror Exploit Kit (EK) infection. That DarkVNC sample generated traffic to 18.104.22.168:443 and triggered an alert for ETPRO TROJAN W32/DarkVNC Checkin. This activity was referenced in a ReaQta blog in 2017 about DarkVNC that is currently available through archive.org.
I didn't see DarkVNC again until mid-2021, when I started discovering newer examples of VNC activity. One VNC-based malware sample triggered an alert for ETPRO MALWARE VNCStartServer USR Variant CnC Beacon on 22.214.171.124:443. The associated Twitter thread reveals that sample is possibly a HiddenVNC variant of DarkVNC. Or HiddenVNC is likely another term for samples that others have identified as DarkVNC.
Current example of VNC-based malware traffic
What does VNC-based malware traffic look like? In recent months, I've occasionally found VNC traffic as follow-up activity from IcedID and Qakbot infections. For Qakbot, follow-up VNC activity has been on 126.96.36.199:443 since as early as June 2022. When Qakbot's VNC is active, we see two TCP streams using the same IP and port, both running at the same time.
The first TCP stream appears to be a VNC beacon that sends mostly the same sequence of 13 bytes from the infected host. The infected host then receives mostly the same 13 bytes from the VNC server. This traffic keeps repeating as long as the VNC session is active. See the below image for details.
The second TCP stream for VNC traffic contains much more data, most of it encoded or encrypted, likely related to the screen sharing and keyboard/mouse control used in VNC activity. This traffic is easily identified by the ASCII characters VNC somewhere within the first hundred bytes of the TCP stream. The initial traffic contains a repeating pattern of bytes that provide a distinct visual when viewing the TCP stream. See the image below for details.
Later in the TCP stream, we start seeing data possibly related to the screen sharing and keyboard/mouse control for VNC traffic. See the image below for details.
Of note, VNC activity from Qakbot infections prior to June 2022 has three TCP streams (two beaconing and one data stream) that looked much more like traffic from older samples identified as DarkVNC. Here is a previous diary from March 2022 featuring a Qakbot infection with VNC activity that more closely matches what many think of as DarkVNC or HiddenVNC. This includes strings with the infected hostname and Windows user account name in the two beaconing TCP streams.
However, in recent months, VNC activity from Qakbot infections match patterns we've seen for VNC activity from IcedID infections. Below is an example of IcedID with VNC traffic from May 2021. It looks remarkably similar to VNC from IcedID and Qakbot today.
Previous examples of follow-up VNC activity from other malware
Below is a list of blog posts where pcaps are available with VNC traffic from BazarLoader, IcedID, Qakbot, and Trickbot infections since May 2021. Some of these I didn't realize had VNC traffic at the time. I originally called most of this activity DarkVNC, but that's not exactly correct. According to Netresec, VNC traffic typically seen with IcedID is part of the IcedID BackConnect protocol. Since June 2022, I'm seeing the same sort of VNC traffic from Qakbot infections, so I wonder if Qakbot has adopted parts of the same protocol. I also saw similar VNC traffic from BazarLoader in November 2021.
Click on links in the dates to access my blog pages for the associated pcaps.
- 2021-05-24: TA551 IcedID with VNC over IcedID BackConnect C2 188.8.131.52:8080
- 2021-06-02: TA551 IcedID with VNC over IcedID BackConnect C2 184.108.40.206:8080
- 2021-06-30: TA551 Trickbot with DarkVNC on 220.127.116.11:443
- 2021-11-05: TA551 BazarLoader with VNC on 18.104.22.168:9090
- 2021-12-10: TA551 IcedID with VNC over IcedID BackConnect C2 22.214.171.124:8080
- 2021-12-13: TA551 IcedID with VNC over IcedID BackConnect C2 126.96.36.199:8080
- 2022-01-12: IcedID from email --> link --> XLL file, with VNC over IcedID BackConnect C2 188.8.131.52:8080
- 2022-03-15: obama166 Qakbot with VNC traffic on 184.108.40.206:443
- 2022-04-14: aa Qakbot with VNC traffic on 220.127.116.11:443
- 2022-04-19: aa Qakbot with VNC traffic on 18.104.22.168:443
- 2022-05-23: IcedID with VNC over IcedID BackConnect C2 22.214.171.124:8080
- 2022-06-07: obama186 Qakbot with VNC traffic on 126.96.36.199:443
- 2022-06-21: aa Qakbot with VNC traffic on 188.8.131.52:443
- 2022-06-27: obama194 Qakbot with VNC traffic on 184.108.40.206:443
- 2022-06-28: TA578 IcedID with VNC over IcedID BackConnect C2 220.127.116.11:8080
- 2022-07-06: TA578 IcedID with VNC over IcedID BackConnect C2 18.104.22.168:8080
- 2022-07-21: IcedID with VNC over IcedID BackConnect C2 22.214.171.124:8080
- 2022-07-26: IcedID with VNC over IcedID BackConnect C2 126.96.36.199:8080
- 2022-10-04: IcedID using IcedID BackConnect C2 188.8.131.52:443 without VNC
- 2022-10-31: IcedID with VNC over IcedID BackConnect C2 on 184.108.40.206:8080
Who put the "Dark" in DarkVNC? I don't know. Perhaps it's based on how the malware was advertised by criminals in underground forums, but that's merely a guess on my part.
VNC-based malware traffic patterns have changed since I first saw it, so I'll stop calling it DarkVNC. From now on, I'll refer to the activity as VNC or malicious VNC.
brad [at] malware-traffic-analysis.net