A budget-friendly remote access trojan (RAT) that’s under active development is selling on underground Russian forums for about $7 for a two-month subscription, according to BlackBerry researchers today.
The backdoor Windows malware, dubbed DCRat or DarkCrystal RAT, was released in 2018, then redesigned and relaunched the following year. An individual who goes by the handles boldenis44, crystalcoder, and Кодер (Coder) developed the RAT, we’re told, and works to improve it on a daily basis.
Despite its bargain price, and being the work of a lone developer as opposed to custom malware sold by a well-funded, sophisticated crime-ring, miscreants can perform a range of nefarious acts with DCRat due to its modular architecture and plugin framework. This includes espionage and data theft, distributed denial of service attacks, and dynamic code execution in several different languages, the BlackBerry research team wrote in their analysis.
DCRat is expected to be deployed within a network once a miscreant has broken in, such as by exploiting some vulnerability, or obtaining or guessing a user’s credentials. The tool is used to remotely control compromised systems, and copies can only be used while a paid-for subscription is active. The product consists of three components:
- A client executable written in .NET that can steal data
- A single PHP page that interfaces with the RAT’s backend command-and-control (C2) server
- An administration tool
“The RAT currently seems to be under active development,” according to the BlackBerry research team. “The administrator tool and the backdoor/client are regularly updated with bug fixes and new features; the same applies to officially released plugins.”
The DCRat administrator tool is written in JPHP, which is rare, because it produces very large, slow executables, the security researchers noted. It also has a kill switch, that, if flipped, renders all instances of the administrator tool unusable.
However, once the subscription validation checks are completed, and assuming the kill switch isn’t flipped, the malware subscriber can use the administrator tool to communicate with the command-and-control server, configure builds of the client executable, and even submit bug reports to the DCRat author. And the entire bundle, along with plugins, plugin development framework, and other tools are hosted on crystalfiles[.]ru.
Previously, they were located at dcrat[.]ru, until a Mandiant analysis in May 2020 prompted the malware author to move the software nasty to a new domain.
The security researchers also noted that in recent months, DCRat clients are being deployed with Cobalt Strike beacons through the Prometheus TDS (traffic direction system).
While the marketing, sales, and some pre-sale queries are done through Russian cybercrime forum lolz[.]guru, BlackBerry said DCRat may be sold on other forums or on the dark web:
Updates are announced via a Telegram channel, which has about 3,000 subscribers.
And the pricing, excluding any promotional discounts, which the malware author sometimes offers, are:
- 500 RUB (about $7 at time of writing) for two-month license
- 2200 RUB ($31) for a year
- 4200 RUB ($60) for a lifetime license
Both the product’s low price, plus the author’s use of JPHP indicate “a novice malware author who hasn’t yet figured out an appropriate pricing structure,” BlackBerry’s analysts stated. However, this doesn’t mean that DCRat should be ignored.
“Generally speaking, you get what you pay for, even in malware. If you pay a pittance for something, you would be wise to expect it to be less functional or poorly supported,” it said. “But DCRat seems to break that rule in a way that’s deeply perplexing.”
The software nasty seems to be a full-time job for the lone developer, who puts in “a lot of time and effort to please their customers,” the team wrote.
“This underscores the idea that it’s not just the Contis and REvils of the world that security practitioners have to worry about, they concluded: “Miscreants with too much time on their hands can often cause just as much hassle.”
The Blackberry team has shared indicators of compromise and other technical details should you wish to scan your network for this malicious code. ®