{
	"id": "6d368cde-e406-4642-80e8-55939e6cd1e4",
	"created_at": "2026-04-06T01:29:45.871182Z",
	"updated_at": "2026-04-10T03:21:10.467823Z",
	"deleted_at": null,
	"sha1_hash": "30723cf79b1a0fb1136131ad3e0736358d84ab0f",
	"title": "You Dirty RAT! Part 2 – BlackShades NET",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1369637,
	"plain_text": "You Dirty RAT! Part 2 – BlackShades NET\r\nBy Adam Kujawa\r\nPublished: 2012-06-14 · Archived: 2026-04-06 00:20:15 UTC\r\nLast week we talked about the Remote Administration Trojan DarkComet and all the wonderful and scary things it\r\ncan do.  In response to the twitter post announcing the blog, the author of DarkComet tweeted an answer to my big\r\nbold question:\r\n“Considering that this is a Remote Administration Tool, to be used for good and what not….WHY DOES IT\r\nHAVE DDOS FUNCTIONALITY!?”\r\nHis answer was that he typically uses it for “Performing tests on his personal network to make sure it can protect\r\nagainst those kinds of attacks.” To simplify the answer, it’s like he built a bomb in order to see if his house was\r\nexplosion-proof. He isn’t lying, it is possible to test your own defenses with such a weapon. I will leave it up to\r\nyou, the reader, to decide whether or not that is a good enough reason to include the capability to perform\r\nDistributed Denial of Service attacks in his software.\r\nMoving on, I know that I talked about how dangerous DarkComet was and that while there were a lot of\r\nillegitimate uses for it, it was mostly designed as a network administration tool and therefore, could be used for\r\nlegitimate purposes.  This week I am going to tell you about the opposite of DarkComet, a very powerful and very\r\ndangerous  RAT Trojan known as BlackShades NET.\r\nIntroduction:\r\nThere are quite a few different types of RAT malware floating around in the wild right now that are used by people\r\nranging from amateur hackers all the way up to cyber-crime organizations.  DarkComet is one of them and\r\nBlackShades NET is another, more dangerous one.\r\nBlackShades is a very powerful RAT which sports all the functionality of DarkComet and then some. The methods\r\nin which it infects its victims spread over a large band of different methods, to name a few:\r\nFake torrent downloads on Person to Person (P2P) sites\r\nMalicious links spread on social media sites (Facebook, twitter, etc)\r\nMalicious links spread in chat rooms\r\nDrive-by attacks\r\nJava exploits\r\nSpreading via hacked social media/chat accounts\r\nPhishing e-mails\r\nThis list applies to most methods of spreading RATs and malware in general.\r\nBackground:\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/\r\nPage 1 of 10\n\nBlackShades NET is developed (I say IS because new versions are always coming out) by BlackShades the\r\ncompany, their official “About Us” is:\r\n“BlackShades is mainly an IT surveillance and security-based company, directed at making your PC experiences\r\neasier. Our main goal is to offer affordable software solutions comparable to bigger names out there.”\r\nThey also mention the reasons people should buy and use their products including:\r\nSpying on spouses or children\r\nBeing suspicious about possibly cheating partners\r\nBeing paranoid about people using your PC in unwanted ways\r\nFinally, to ease the tension about whether or not their software is legal, for the paranoid delusional with a\r\nconscience, they include a legal notice about an Act passed in 2004 allowing people to spy on their own systems:\r\n“… according to the Spy Act passed in October 5th 2004 by US houses, installation of advertising or data\r\ngathering spyware without authorization or the computer owner’s consent is prohibited, but it is still legal to\r\ninstall any program you want to your own computer. Main part of the Spy Act is about adware and spyware\r\nrelated software and website which use to gather user information for advertisement. It’s 100% legal for you to\r\ninstall spy software on your own computer.”\r\nThe BlackShades website offers a variety of products which can help to accomplish the goals listed above;\r\nhowever the only one we are interested in is the BlackShades Remote Controller or BlackShades NET.  While\r\nthere are multiple methods available to obtain free or cracked versions of the RAT, the BlackShades website\r\nincludes a method to buy the up-to-date software from them for only $40!\r\nTerms of Use\r\nIn order to keep their product legal and keep themselves out of any sort of trouble or blame for the actions of the\r\nusers of the product, BlackShades includes a Terms of Use, basically requiring the user to agree to not stealing\r\ntheir software and not using it in the wrong way, for example:\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/\r\nPage 2 of 10\n\n“INTENTIONALLY SPREADING APPLICATIONS FOR MALICIOUS OR DAMAGING PURPOSES IS A CRIME\r\nPUNISHABLE BY FINE OR IMPRISONMENT. BY USING BlackShades NET PRODUCTS FOR MALICIOUS\r\nPURPOSES YOU ARE BREAKING THE TERMS AND CONDITIONS SET IN THIS AGREEMENT AND\r\nTHEREFORE ACCEPT FULL RESPONSIBILITY FOR ANY CONSEQUENCES WHICH MAY RESULT FROM\r\nYOUR ACTIONS.”\r\nThis is just one piece of a very long use agreement; it even makes the user wait a few seconds before they can\r\nclick the “I Agree” button, I suppose to make them read at least some of it.\r\nWhat does it do?\r\nLast week I listed a lot of different kinds of functionality used by DarkComet including spying on the webcam,\r\nuninstalling programs, fun functions, etc.  Well BlackShades can do nearly all of these things so I am not going to\r\nrepeat any previously mentioned functionality in any detail.  Instead, I will discuss a few interesting things that\r\nBlackShades can do that DarkComet cannot…also, when I say interesting I mean frightening.\r\nThe BlackShades web site mentions a lot of the functionality the RAT is capable of, from various system\r\nadministration functions to surveillance functions and computer security.  It doesn’t actually mention ALL of its\r\nfunctionality, as we will discuss, and I think that they might have a hard time explaining on their website the\r\npurpose of some of the following functions.\r\nRansomware\r\nYou might be aware of all the attention Ransom Malware, or Ransomware, has been getting lately.  To refresh\r\nanyone’s memory, Ransomware is used to hijack a system, sometimes by locking the user out entirely, sometimes\r\nby encrypting all the files with a unique key.  A notice like the one above will show up and the user has the choice\r\nto either pay a Ransom fee or lose access to their files and/or system.  Named the ‘File Hijacker’, BlackShades has\r\nthe ability to use its server implant to create a Ransomware situation.\r\nThe configuration interface includes customization of the ransom message, screen colors, timer, encryption key\r\nand the target path of the files to be encrypted as well as which file extensions to encrypt.  Depending on how\r\nmany files the ‘Hijacker’ has to encrypt determines how long it will take for the ransom functionality to encrypt\r\nall requested files and show the ransom information screen (above) to the user. If, for example, the attacker\r\ndecides to encrypt all .EXE files in the root C: partition and all the folders included in that partition, then it might\r\ntake a while. In that time the user might experience some system lag and an inability to access certain files or\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/\r\nPage 3 of 10\n\napplications.  Once the demands of the attacker are met, they repeat the exact same encryption process and it fixes\r\neverything; which makes me believe that the encryption process is probably nothing more than a simple\r\nencryption algorithm (XOR, Bit Shifting, etc).\r\nTo add to how much BlackShades wants the attacker to really think about how severe a ransom attack is, he/she\r\nmust click the “I’m responsible for whatever this action results in” button and type ‘YES” into a confirmation\r\npopup.\r\nIf the attacker clicks the “Help” button in the configuration window, it will give an explanation of what the attack\r\ndoes, how to fix it and a little notice at the end stating:\r\nWARNING! You should be extremely careful when dealing with this feature. Use this feature at your own risk.\r\nHowever, one thing to put in mind: This feature was made for educational purposes only.\r\nThis is another example of BlackShades removing all liability of anything done with this tool from themselves and\r\nputting it on the user. Pretty slick if you ask me.\r\nFacebook Controller\r\nHave you ever wondered how hackers are able to control the Facebook posts of victim users? Well there are a lot\r\nof ways to do that, including stealing saved credentials, keylogging, etc. BlackShades has its own method, where\r\nit allows the attacker to post text on the wall of the victim. The functionality is called ‘Facebook Controller’ and\r\ncan be used as long as the victim user is logged into Facebook.\r\nWhen I say logged in, I of course mean having Facebook up in a window, etc. I also mean that if you don’t\r\nproperly log-out of Facebook, you just close your browser, your Facebook credentials are still valid and you are\r\nstill logged in. The RAT will secretly post whatever text it wants to your Facebook wall.  This can be something as\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/\r\nPage 4 of 10\n\nsimple as “Hello!” or it could be a URL or link to a malicious website or executable which could spread the\r\nmalware to your friends and family.\r\nThe above screenshot is a view of the Facebook Controller configuration window.  It allows the attacker to\r\ncustomize what text to use for the wall post, it also gives the status of whether the attack succeeded or not.\r\nI wanted to do some more testing and see if the Facebook Controller actually worked. I wouldn’t recommend\r\ndoing this at home since I knew that I had full control of the RAT and you might not be able to obtain that same\r\nconfidence. I decided to log into my own Facebook and try this out, notice the text at the bottom of the Facebook\r\nController configuration window (above) and the new status update I apparently posted (below):\r\nUSB Infector / IM Spreader\r\nYou’ve probably heard in the news lately about USBs being infected to spread malware to any systems they are\r\nplugged into, etc. etc.  Well this particular type of attack has been happening for at least 5 years now, with\r\ndifferent methods being used to accomplish it.  Lucky for us, BlackShades uses an older method of USB infection\r\nthat is easy to get around by just disabling any auto-run feature in your version of Windows.\r\nThe above screenshot shows the configuration window for the USB infection/IM sending function known as\r\n‘Spreader’. The USB infector simply puts a copy of the originating infections binary or ‘server’ onto any USB\r\ndrive currently connected to the victim, it then creates an ‘Autorun.inf’ script which is used to execute the file\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/\r\nPage 5 of 10\n\nonce run, both files are hidden.  If this USB driver were to be plugged into another system, one which did not\r\ndisable the auto-run feature, the auto-run file would run and execute the malware, the result being that the attacker\r\nhas another system to play with:\r\nThe other functionality of the ‘spreader’ is to send an IM to everyone on the contact list of the victim using MSN\r\nor AIM/ICQ.  This message is customizable and could include a link to a malicious site or a download for the RAT\r\ninfection binary.\r\nTorrent Seeder\r\nTorrents are most commonly referenced when talking about pirating software or movies and music and as\r\nmentioned before, using P2P torrent sites, spreading malware! This functionality allows the attacker to download a\r\ntorrent file from somewhere on the web and host it on the victims system or ‘seed’ it; allowing other people to\r\ndownload it directly from the user.  This could result in the malware, which is used to trick someone else into\r\ninstalling a Blackshades implant binary, being downloaded from an already infected victim system. There would\r\nbe no trace of the identity of the hacker spreading the malware.\r\nThere are a few requirements for this functionality to work, first of all the victim must have some kind of P2P file\r\ntransfer software installed. If the victim does not have any installed, the attacker could go through the effort of\r\ndownloading and installing it for them by using the download and execute functionality, as well as the remote\r\ndesktop. There are also only a certain group of P2P clients which can be used:\r\nuTorrent\r\nBitTorrent\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/\r\nPage 6 of 10\n\nAzerus/Vuze\r\nLimeWire\r\nThere are multiple uses for this type of functionality; including being able to spread even more malware with fake\r\ntorrent descriptions. Using the user to host and spread pirated movies and software, etc.  If tracked down by a law\r\nenforcement agency, they would only find the torrent file being seeded by the victim user and not be able to trace\r\nit back to the attacker, unless of course the attacker was still running the BlackShades implant on the victim\r\nsystem and beaconing back at regular intervals.\r\nBot Marketplace\r\nAs we know, the world of botnets and espionage is also very marketable. That’s why BlackShades included a\r\nmarketplace interface into their RAT controller:\r\nHere the attacker can buy and/or sell bots to other BlackShades users to make their network larger, the interface\r\nincludes information on how to buy and sell and a listing of all current buyers or sellers currently in the network:\r\nYou can also buy Crypters using this interface, which are essentially packers and obfuscation tools to make it\r\nmore difficult for antivirus engines to detect the implant binary:\r\nThis functionality, as well as some others mentioned, takes BlackShades out of the realm of the personal use\r\nsystem administration tool. It elevates it to the same level as cybercrime organizations.\r\nDDOS\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/\r\nPage 7 of 10\n\nI said earlier that I wasn’t going to go into any detail about repeated functionality from DarkComet to\r\nBlackShades, however I wanted to show you the configuration interface for BlackShades RAT. It is very clean and\r\nstreamlined and makes it very easy to send multiple types of DDOS attacks:\r\nOther Functions\r\nI didn’t mention every function of BlackShades, just the ones I thought were the most important to mention, I\r\nwanted to give a short list of the ones I left out and there might even be some duplicates from DarkComet in there\r\ntoo:\r\nWebcam Control\r\nScreenshot/Remote Desktop Control\r\nKeylogger (streamlined and much cleaner than DarkComet)\r\nProxy manager\r\nDownload and Execute Files (or more malware)\r\nVisit a website numerous times\r\nRedirect or Block URLs\r\nUse victim as a reverse relay, meaning that the attacker can set their browser to connect to the internet\r\nthrough the victim system.\r\nControl MSN messenger, including add/remove/msg contacts.\r\nSet an alarm for when a certain window title or keyword is present on the victim system\r\nAbility to setup a web interface for remote use!\r\nAnd much more!\r\nHow does it do it?\r\nIt does it in the same way that DarkComet did it, an encrypted stream of data going between the client and the\r\nserver, often with constant beaconing.  Safe to say, RATs are not quiet when it comes to network traffic, but when\r\nyour targets are pirated movie downloaders or click-happy social networking users, traffic detection is not really a\r\nhuge concern.\r\nServer Creation\r\nThe server creator for BlackShades comes with fewer options than the server creator for DarkComet did:\r\nBeacon IP/Hostname\r\nPort / Transfer Port\r\nServer ID\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/\r\nPage 8 of 10\n\nFilename\r\nInstall path – where the server will be stored upon installation\r\nApplication Data\r\nTemp Directory\r\nInstall Mode\r\nInstall – copy the file to the designated directory (%AppData%, %Temp%)\r\nMelt – Delete the file after it’s run\r\nProtect Process – Do not allow the process to be killed\r\nDelay – How long after execution to wait before installation\r\nNo Delay\r\n10 Seconds\r\n1 Min\r\n5 Mins\r\nHKCU – What Registry entry to use for installation.\r\nActiveX Key – Generate a unique value for the binary to use during operations and installation\r\nMutex – Generate a unique value for the binary to use during operations and installation, also keeps from\r\nmultiple instances of the same server running at the same time.\r\nAnd the ability to:\r\nInfect USBs\r\nCompress the binary with the UPX packer\r\nChange the Icon\r\nClone file information – For example the installed binary will match the same properties of a\r\nlegitimate file. The file to clone is chosen by the attacker.\r\nBasically, DarkComet was able to configure various types of “Upon installation” actions as well as the ability to\r\nmake each server binary slightly different from the previous one.  Blackshades will produce nearly the same\r\nbinary every time, as long as the default configurations available with the server builder are used. This means that\r\nif the attacker decides to purchase a new and undetected crypter, they could potentially avoid antivirus detection\r\nand still obtain the same results of DarkComet.\r\nHow do you protect yourself?\r\nIf you have Malwarebytes Anti-Malware Pro installed, one of three things can happen to protect you.\r\nThe web site you were sent to with the exploit would have never loaded thanks to Malwarebytes Web\r\nProtection Module\r\nMalwarebytes Anti-Malware definitions scan for unique features at a deeper level than other AV vendors\r\nand are more likely to detect new variants of the same malware.\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/\r\nPage 9 of 10\n\nMalwarebytes Anti-Malwares active protection module would have detected the malware being executed\r\non your system and prevented it from going any further based upon its functionality.\r\nOn top of that, RAT infection is usually the product of targeted attacks, though not always the case.  They do make\r\na lot of noise and more often than not antivirus/Anti-Malware software will detect and remove any infection.  As a\r\ngeneral precaution, here is a list of standard security practices you can do to keep yourself safe:\r\nAlways keep up to date definitions of your Anti-Virus/Anti-Malware software\r\nAlways update your operating system\r\nNever click on links in e-mails from people you do not know or trust\r\nAlways keep the most up to date security patches for your browser and extension applications (Adobe\r\nproducts, Java, etc.)\r\nWhile these measures seem simple enough, they are the best protection for your system while not draining your\r\nability to perform standard tasks and your wallet.\r\nAbout the author\r\nOver 14 years of experience fighting malware on the front lines and behind the scenes. Frequently anachronistic.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/\r\nhttps://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/"
	],
	"report_names": [
		"you-dirty-rat-part-2-blackshades-net"
	],
	"threat_actors": [],
	"ts_created_at": 1775438985,
	"ts_updated_at": 1775791270,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/30723cf79b1a0fb1136131ad3e0736358d84ab0f.pdf",
		"text": "https://archive.orkl.eu/30723cf79b1a0fb1136131ad3e0736358d84ab0f.txt",
		"img": "https://archive.orkl.eu/30723cf79b1a0fb1136131ad3e0736358d84ab0f.jpg"
	}
}