Introduction
VNC is an acronym for Virtual Network Computing. It is a way of controlling a computer remotely from another computer. VNC is similar to a Remote Access Tool (RAT). But unlike a RAT, VNC is a cross-platform screen sharing system that allows full keyboard and visual control, as if you were physically present at the remote host.
VNC-based malware has been part of our threat landscape for a long time. In recent years, some VNC-based malware has been referred to as DarkVNC or HiddenVNC.
During the past year or so, I've referred to any VNC activity I've run across as DarkVNC. But not all VNC traffic is necessarily DarkVNC, so let's figure out who put the "Dark" in DarkVNC. To answer that question, this diary reviews VNC-based malware samples and activity since 2013.
VirusTotal's first DarkVNC sample
VirusTotal's sandbox C2AE will flag certain samples with tags indicating various malware families. One such flag is RAT (DarkVNC). This is a searchable flag for people with a VirusTotal Intelligence subscription. The first DarkVNC-flagged sample was submitted to VirusTotal on 2013-04-03. This sample shows a creation date of 2012-12-24. The SHA256 hash is:
I found my first DarkVNC sample in 2017 as one of the payloads from a Terror Exploit Kit (EK) infection. That darkvnc
