Cybersecurity researchers have shed light on an actively maintained remote access trojan called DCRat (aka DarkCrystal RAT) that’s offered on sale for “dirt cheap” prices, making it accessible to professional cybercriminal groups and novice actors alike.
“Unlike the well-funded, massive Russian threat groups crafting custom malware […], this remote access Trojan (RAT) appears to be the work of a lone actor, offering a surprisingly effective homemade tool for opening backdoors on a budget,” BlackBerry researchers said in a report shared with The Hacker News.
“In fact, this threat actor’s commercial RAT sells at a fraction of the standard price such tools command on Russian underground forums. “
Written in .NET by an individual codenamed “boldenis44” and “crystalcoder,” DCRat is a full-featured backdoor whose functionalities can be further augmented by third-party plugins developed by affiliates using a dedicated integrated development environment (IDE) called DCRat Studio.
It was first released in 2018, with version 3.0 shipping on May 30, 2020, and version 4.0 launching nearly a year later on March 18, 2021.
Prices for the trojan start at 500 RUB ($5) for a two-month license, 2,200 RUB ($21) for a year, and 4,200 RUB ($40) for a lifetime subscription, figures which are further reduced during special promotions.
While a previous analysis by Mandiant in May 2020 traced the RAT’s infrastructure to files.dcrat[.]ru, the malware bundle is currently hosted on a different domain named crystalfiles[.]ru, indicating a shift in response to public disclosure.
” All DCRat sales and marketing operations are handled through the Russian hacking forum lolz guru. It also deals with some DCRat presales questions,” researchers stated.
Also actively used for communications and sharing information about software and plugin updates is a Telegram channel which has about 2,847 subscribers as of writing.
Messages posted on the channel in recent weeks cover updates to CryptoStealer, TelegramNotifier, and WindowsDefenderExcluder plugins, as well as “cosmetic changes/fixes” to the panel.
“Some Fun features have been moved to the standard plugin,” a translated message shared on April 16 reads. “The weight of the build has slightly decreased. These functions should not be detected. “
DCRat includes a modular architecture and custom plugin framework. An administrator component is also included that can stealthily activate a kill switch. This allows the threat actor remote access to the tool.
The admin utility allows subscribers to log in to an active command and control server to issue commands to infected endspoints and to submit bugs reports.
Distribution vectors employed to infect hosts with DCRat include Cobalt Strike Beacons and a traffic direction system (TDS) called Prometheus, a subscription-based crimeware-as-a-service (CaaS) solution used to deliver a variety of payloads.
The implant, in addition to gathering system metadata, supports surveillance, reconnaissance, information theft, and DDoS attack capabilities. It can also capture screenshots, record keystrokes, and steal content from clipboard, Telegram, and web browsers.
“Updates and new plugins are made almost daily,” researchers stated. It appears the threat was created and maintained by one individual. “