Cybersecurity researchers have make clear an actively maintained distant entry trojan referred to as DCRat (aka DarkCrystal RAT) that is supplied on sale for “dirt cheap” costs, making it accessible to skilled cybercriminal teams and novice actors alike.
“Unlike the well-funded, massive Russian threat groups crafting custom malware […], this remote access Trojan (RAT) appears to be the work of a lone actor, offering a surprisingly effective homemade tool for opening backdoors on a budget,” BlackBerry researchers mentioned in a report shared with The Hacker News.
“In fact, this threat actor’s commercial RAT sells at a fraction of the standard price such tools command on Russian underground forums.”
Written in .NET by a person codenamed “boldenis44” and “crystalcoder,” DCRat is a full-featured backdoor whose functionalities could be additional augmented by third-party plugins developed by associates utilizing a devoted built-in improvement atmosphere (IDE) referred to as DCRat Studio.
It was first launched in 2018, with model 3.0 delivery on May 30, 2020, and model 4.0 launching practically a yr in a while March 18, 2021.
Prices for the trojan begin at 500 RUB ($5) for a two-month license, 2,200 RUB ($21) for a yr, and 4,200 RUB ($40) for a lifetime subscription, figures that are additional lowered throughout particular promotions.
While a earlier evaluation by Mandiant in May 2020 traced the RAT’s infrastructure to information.dcrat[.]ru, the malware bundle is presently hosted on a special area named crystalfiles[.]ru, indicating a shift in response to public disclosure.
“All DCRat marketing and sales operations are done through the popular Russian hacking forum lolz[.]guru, which also handles some of the DCRat pre-sales queries,” the researchers mentioned.
Also actively used for communications and sharing details about software program and plugin updates is a Telegram channel which has about 2,847 subscribers as of writing.
Messages posted on the channel in current weeks cowl updates to CryptoStealer, TelegramNotifier, and WindowsDefenderExcluder plugins, in addition to “cosmetic changes/fixes” to the panel.
“Some Fun features have been moved to the standard plugin,” a translated message shared on April 16 reads. “The weight of the build has slightly decreased. There should be no detects that go specifically to these functions.”
Besides its modular structure and bespoke plugin framework, DCRat additionally encompasses an administrator element that is engineered to stealthily set off a kill swap, which permits the risk actor to remotely render the instrument unusable.
The admin utility, for its half, permits subscribers to check in to an energetic command-and-control server, subject instructions to contaminated endpoints, and submit bug studies, amongst others.
Distribution vectors employed to contaminate hosts with DCRat embody Cobalt Strike Beacons and a site visitors route system (TDS) referred to as Prometheus, a subscription-based crimeware-as-a-service (CaaS) resolution used to ship a wide range of payloads.
The implant, along with gathering system metadata, helps surveillance, reconnaissance, data theft, and DDoS assault capabilities. It can even seize screenshots, file keystrokes, and steal content material from clipboard, Telegram, and internet browsers.
“New plugins and minor updates are announced almost every day,” the researchers mentioned. “If the threat is being developed and sustained by just one person, it appears that it’s a project they are working on full-time.”