Budget-priced RAT is surprisingly effective tool for hackers, say BlackBerry researchers
One of the reasons the number of cyberattacks keeps escalating is the cost of hacking tools for threat actors keeps dropping. Software-as-a-service offerings are common, but some crooked developers keep the price of their tools low.
According to researchers at BlackBerry, one is an inexpensive remote access trojan (RAT) that has been primarily sold on Russian language underground forums for over two years. Called DarkCrystal RAT (or DCRat for short), it’s a “surprisingly effective homemade tool for opening backdoors on a budget,” they said.
“DCRat is one of the cheapest commercial RATs we’ve ever come across,” the researchers said in a blog released on Monday. “The price for this backdoor starts at 500 RUB (less than US$6) for a two-month subscription, and occasionally dips even lower during special promotions. No wonder it’s so popular with professional threat actors as well as script kiddies.”
The blog is a backgrounder on the trojan, which includes details and indicators of compromise that threat hunters could find valuable.
DCRat appears to have been developed and maintained by a single person going by the pseudonyms of “boldenis44,” “crystalcoder,” and Кодер (“Coder”), the researchers said.
It includes a keylogger, and can also steal browser cookies, browser stored passwords, browser stored form content , stored credit cards (via Windows DPAPI & Chrome SQLite Database), clipboard contents, Discord tokens and more. There are also plugins available that enable data exfiltration/credential stealing, system manipulation and cryptocurrency mining.
It also includes what BlackBerry calls primitive, multi-threaded code to perform different forms of denial of service attacks – including HTTP(S) POST, UDP and TCP – to a specific host and endpoint combination.
DCRat’s modular architecture and bespoke plugin framework make it a very flexible option, the researchers said, helpful for a range of nefarious uses. This includes surveillance, reconnaissance, information theft, DDoS attacks, as well as dynamic code execution in a variety of different languages. Affiliates can generate their own client plugins, which can be downloaded and used by subscribers.
The DCRat product itself consists of three components:
- a stealer/client executable;
- a single PHP page, serving as the command-and-control (C2) endpoint/interface;
- an administrator tool. The administrator tool is a standalone executable written in the JPHP programming language, an obscure implementation of PHP that runs on a Java virtual machine.
The administrator tool and the backdoor/client are regularly updated with bug fixes and new features.
During recent months, the researchers have often seen DCRat clients being deployed with the use of Cobalt Strike beacons through the Prometheus TDS (traffic direction system). Prometheus is a subscription-based malware service that has been used in many high-profile attacks, the blog says, including campaigns against U.S. government institutions in 2021.
“The biggest, flashiest threat groups might get their name in lights, but they aren’t necessarily the cybercriminals that keep security practitioners up at night,” said BlackBerry. “Miscreants with too much time on their hands can often cause just as much hassle.”