Experts Sound the Alarm on DCRat Backdoor Sold on Russian Hacking Forums

Cybersecurity researchers have shed light on an actively maintained remote access Trojan called DCRat (aka DarkCrystal RAT) which is offered for sale at “very cheap” prices, making it accessible to professional cybercriminal groups and novice actors.

“Unlike the massive, well-funded Russian threat groups that create custom malware […]this Remote Access Trojan (RAT) appears to be the work of a lone actor, offering a surprisingly effective homemade tool for opening backdoors on a budget,” BlackBerry researchers said in a report shared with The HackerNews.

“In fact, this threat actor’s commercial RAT sells for a fraction of the standard price these tools command on Russian underground forums.”

Written in .NET by an individual named “boldenis44” and “crystalcoder”, DCRat is a full-featured backdoor whose functionality can be further augmented by third-party plugins developed by affiliates using an integrated development environment (IDE ) dedicated called DCRat Studio.

It was first released in 2018, with version 3.0 shipping on May 30, 2020, and version 4.0 launching almost a year later on March 18, 2021.

cyber security

Prices for the Trojan start at 500 RUB ($5) for a two-month license, 2,200 RUB ($21) for a year, and 4,200 RUB ($40) for a lifetime subscription, figures that are still reduced during special promotions.

While a previous Mandiant analysis in May 2020 traced the RAT infrastructure to files.dcrat[.]ru, the malware package is currently hosted on a different domain named crystalfiles[.]ru, indicating a change in response to the public disclosure.

DCRat backdoor

“All DCRat marketing and sales are done through the popular Russian hacking forum lolz[.]guru, which also handles some of the DCRat pre-sale queries,” the researchers said.

A Telegram channel which has about 2,847 subscribers at the time of writing is also actively used for communications and sharing information about software and plugin updates.

DCRat backdoor

Posts on the channel over the past few weeks cover updates to the CryptoStealer, TelegramNotifier, and WindowsDefenderExcluder plugins, as well as “cosmetic changes/fixes” to the panel.

“Some fun features have been moved to the standard plugin,” reads a translated post shared on April 16. “The weight of the build has decreased slightly. There should be no detection specific to these functions.”

cyber security

Along with its modular architecture and bespoke plugin framework, DCRat also includes an administrator component designed to stealthily trigger a kill switch, allowing the threat actor to render the tool inoperable remotely.

The administration utility, on the other hand, allows subscribers to connect to an active command and control server, send commands to infected endpoints, and submit bug reports, among other things.

Distribution vectors used to infect hosts with DCRat include Cobalt Strike Beacons and a traffic directing system (TDS) called Prometheus, a subscription-based crimeware-as-a-service (CaaS) solution used to deliver a variety of payloads .

The implant, in addition to collecting system metadata, supports surveillance, reconnaissance, information theft and DDoS attack capabilities. It can also capture screenshots, record keystrokes, and steal content from clipboards, telegrams, and web browsers.

“New plugins and minor updates are announced almost daily,” the researchers said. “If the threat is being developed and maintained by one person, it looks like it’s a project they’re working on full time.”

Harry L. Blanchard