Home Science & Technology Experts voice signal about DCRat backdoor sold on Russian hacker forums

Experts voice signal about DCRat backdoor sold on Russian hacker forums


Cybersecurity researchers have shed light on an actively supported remote access Trojan called DCRat (aka DarkCrystal RAT), which is offered for sale at “cheap” prices, making it available to both professional cybercrime groups and novice actors.

“Unlike well-funded, massive Russian threat groups that create custom malware […]this remote access trojan (RAT) seems to be the work of a lone actor, offering a surprisingly effective homemade tool for opening backdoors with a small budget, ”BlackBerry researchers said. report shared with The Hacker News.

“In fact, the commercial RAT of this actor-threat is sold for a fraction of the standard price that such instruments are sold on Russian underground forums.”

Written in .NET by the code names “boldenis44” and “crystalcoder”, DCRat is a full-featured backdoor whose functionality can be further enhanced by third-party plugins developed by affiliates using a special integrated development environment (IDE) called DCRat Studio.

It was first released in 2018, version 3.0 was delivered on May 30, 2020, and version 4.0 was released almost a year later, on March 18, 2021.

Prices for the Trojan start at 500 rubles ($ 5) for a two-month license, 2,200 rubles ($ 21) per year and 4,200 rubles ($ 40) for a lifetime subscription, figures that are further reduced during special promotions.

While Fr. preliminary analysis by Mandiant in May 2020 traced the RAT infrastructure to files.dcrat[.]ru, currently a package of malware is located on another domain called crystalfiles[.]ru, which indicates a shift in response to public disclosure.

Backdoor DCRat

“All DCRat’s marketing and sales operations are carried out through the popular Russian hacking forum lolz[.]a guru who also handles some of DCRat’s pre-sales inquiries, ”the researchers said.

Also actively used to communicate and share information about software updates and plugins a Telegram channel which has about 2,847 subscribers at the time of writing.

Backdoor DCRat

Messages published on the channel in recent weeks include updates to the CryptoStealer, TelegramNotifier and WindowsDefenderExcluder plugins, as well as “cosmetic changes / fixes” on the panel.

“Some Fun features have been moved to the standard plugin,” said a translated message released on April 16. “The weight of the assembly has decreased slightly. There should be no detectors that are suitable for these functions. “

In addition to a modular architecture and a special plug-in framework, DCRat also includes an admin component that is designed to secretly run the switch, allowing the threat subject to remotely render the tool unusable.

The admin utility, for its part, allows subscribers to log on to the active command and control server, issue commands to infected endpoints, and send bug reports, among other things.

The spread vectors used to infect DCRat hosts include Cobalt Strike Beacons and a traffic direction system (TDS) called Prometheusa subscription solution (CaaS) used to deliver various payloads.

The implant, in addition to collecting system metadata, supports surveillance, intelligence, information theft, and DDoS attack capabilities. It can also take screenshots, record keystrokes and steal content from clipboard, telegram and web browsers.

“New plug-ins and minor updates are announced almost every day,” the researchers said. “If the threat is developed and maintained by just one person, it seems like it’s a project they’re working full-time on.”

Previous articleSHIELDS Up bite-sized pieces
Next articleFrom the archives: Bill Gates on Apple’s mini Mac