BlackBerry’s security researchers have performed a deep analysis of the DarkCrystal RAT and the dark web activity of its developer.
Active since at least 2019, the malware appears to be the work of a single Russian-speaking developer who is offering it for only $6 for a two-month period, or $40 for a lifetime license, which is only a fraction of the price of similar tools.
“This price range is a curious feature, as it makes it seem like the author is not particularly profit-driven. It could be that they’re simply casting a wide net, trying to get a little money from a lot of maliciously minded people. It could also be that they have an alternative source of funding, or perhaps this is a passion project rather than their main source of income,” BlackBerry says.
Also referred to as DCRat and mainly sold on Russian underground forums, DarkCrystal RAT has a modular design that makes it suitable for dynamic code execution, data theft, surveillance, reconnaissance, or for launching distributed denial-of-service (DDoS) attacks.
Once executed on a victim machine, the malware harvests extensive system information and sends it to its command and control (C&C) server, including host and user names, location, privileges, installed security tools, motherboard and BIOS data, and Windows version.
DarkCrystal RAT can take screenshots, log keystrokes, and steal various types of data from the system, including clipboard content, browser cookies/passwords/history, credit card data, and accounts for Telegram, Discord, Steam, FileZilla.
There are three components included in the product, namely the stealer/client executable, a C&C interface, and an executable written in JPHP (a PHP implementation running on a Java virtual machine), which functions as an administrator tool.
Written in .NET, the DarkCrystal RAT client – which incorporates a plugin framework where affiliates can create plugins for subscribers to download and use – is constantly updated, the same as the administrator tool and the officially released plugins.
Third-party developers have access to a dedicated IDE called DCRat Studio that can be used to build plugins for the malware, while subscribers are provided with access to a list of supported plugins.
The entire DarkCrystal RAT bundle is being hosted on crystalfiles[.]ru – it was moved here from dcrat[.]ru – a simple site used for download purposes only. Sales and marketing operations are done on a Russian hacking forum, while news and updates are announced via Telegram.
The malware author posts on the hacking forum using the moniker Кодер (Coder), but might have used the username “boldenis44” previously, as some users call them by this name. The same username is used on GitHub, while on Telegram they post as “@boldenis.”
BlackBerry also notes that the malware author claims on their forum profile that they are Russian and working alone.
The researchers were able to find “Boldenis44” accounts on other dark web forums, as well as a “Darkcrystal Rat” (dcrat_1994) profile on Russian social network VKontakte. The crystalfiles[.]ru URL was also mentioned by another VKontakte account, Rodion Balkanov (Родион Балканов), which is no longer available.
“There are certainly programming choices in this threat that point to this being a novice malware author who hasn’t yet figured out an appropriate pricing structure. Choosing to program the threat in JPHP and adding a bizarrely non-functional infection counter certainly point in this direction. It could be that this threat is from an author trying to gain notoriety, doing the best with the knowledge they have to make something popular as quickly as possible,” BlackBerry notes.
Ionut Arghire is an international correspondent for SecurityWeek. Previous Columns by Ionut Arghire:Tags: