Lone Russian RAT operator rivals large gangs with “passion project”
A lone Russian cyber criminal is achieving similar levels of success as massive organised cyber crime groups by selling a custom commercial remote access Trojan (RAT) for relative pennies.
Tracking the lone actor since 2018, the BlackBerry ThreatVector team has revelead this individual appears to have built and maintained the DarkCrystal RAT (DCRat) by themselves. They operate under the known aliases boldenis44, crystalcoder, and Кодер (‘Coder’).
DCRat is mainly sold on underground Russian forums, and researchers note that due to the dramtically low price of the tool – £5 for a two-month subscription, a fraction of the price of commercial rivals – that it could feasibly be a simple “passion project” for the actor.
“Unlike the well-funded, massive Russian threat groups crafting custom malware to attack universities, hospitals, small businesses and more, this RAT appears to be the work of a lone actor, offering a surprisingly effective homemade tool for opening backdoors on a budget,” said BlackBerry ThreatVector in a blog post.
Given the price of DCRat, which is one of the cheapest commercial RATs researchers have ever encountered, the tool has proven popular with both professional threat actors as well as inexperienced “script kiddies”.
Researchers also noted that DCRat appears to be under active development. New features and bug fixes are regularly pushed to the administrator tool, which is one of the three key components, joining a stealer/client executable and a single PHP page serving as C2 endpoint.
Among the main capabilities of the RAT were surveillance, reconnaissance, information theft, DDoS attacks, and code execution.
Coder’s choice of language was a focal point of BlackBerry ThreatVector’s report since its administrator tool was written in JPHP – an “obscure” implementation of PHP that runs on a Java virtual machine (VM).
Researchers said the threat actor could have used the unpopular language as a way to evade detection, or they simply didn’t have expertise in more modern frameworks.
JPHP is primarily used to build cross-platform desktop games, and its cross-platform nature lends itself well to malware.
Other corners of the cyber security industry have noted a rise in threat actors using Google’s cross-platform Go language to design ransomware for maximum impact.
Coder also used a “niche” Russian integrated developer environment (IDE) in order to write the RAT. Its GitHub page indicates that the IDE is still in its beta stage of development but has been used to build a small number of other malware strains in years gone by.
Researchers also noted that the language choice used, coupled with a “bizarrely non-functional” infection counter built into the RAT’s user interface, which displays inaccurate data to make it appear more popular, points to a novice actor.
“While the author’s apparent inexperience might make this malicious tool seem less appealing, some could view it as an opportunity,” said the researchers. “More experienced threat actors might see this inexperience as a selling point, as the author seems to be putting in a lot of time and effort to please their customers.”
Marketing and distribution
The RAT is officially hosted only on the lolz[.]guru Russian hacking forum, researchers said, where there is a dedicated section of the site for DCRat including support topics reserved only for registered users. Pre-sales queries are also handled on the forum.
Like many malware strains, the distribution is also common on Discord and Telegram channels. The RAT has a dedicated Telegram channel, too, with more than 2,000 subscribers keeping up-to-date on new builds and general news related to the tool.
Researchers also spotted two dedicated Telegram bots designed to handle sales of the RAT – one for processing sales and another to deal with technical support.
Coder occasionally offers limited-time discounts for DCRat but beyond the £5 two-month license, other prices are £17 for a year-long license and around £32 for lifetime access.
© Dennis Publishing