Lone Russian RAT operator rivals large gangs with “passion project”

Researchers say the lone actor’s success speaks to the growing complexity of the underground malware market


Image: Getty via Dennis








<!–PrintPrint –>






A lone Russian cyber criminal is achieving similar levels of success as massive organized cyber crime groups by selling a custom commercial remote access Trojan (RAT) for relative pennies.

Tracking the lone actor since 2018, the BlackBerry ThreatVector team has revelead this individual appears to have built and maintained the DarkCrystal RAT (DCRat) by themselves. They operate under the known aliases boldenis44, crystalcoder, and Кодер (‘Coder’).

DCRat is mainly sold on underground Russian forums, and researchers note that due to the dramaticly low price of the tool – £ 5 for a two-month subscription, a fraction of the price of commercial rivals – that it could feasibly be a simple “passion project ”for the actor.


“Unlike the well-funded, massive Russian threat groups crafting custom malware to attack universities, hospitals, small businesses and more, this RAT appears to be the work of a lone actor, offering a surprisingly effective homemade tool for opening backdoors on a budget, ”Said BlackBerry ThreatVector in a blog post.

Given the price of DCRat, which is one of the cheapest commercial RATs researchers have ever encountered, the tool has proven popular with both professional threat actors as well as inexperienced “script kiddies”.

Researchers also noted that DCRat appears to be under active development. New features and bug fixes are regularly pushed to the administrator tool, which is one of the three key components, joining a stealer / client executable and a single PHP page serving as C2 endpoint.

Among the main capabilities of the RAT were surveillance, reconnaissance, information theft, DDoS attacks, and code execution.

“Niche” development

Coder’s choice of language was a focal point of BlackBerry ThreatVector’s report since its administrator tool was written in JPHP – an “obscure” implementation of PHP that runs on a Java virtual machine (VM).

Researchers said the threat actor could have used the unpopular language as a way to evade detection, or they simply did not have expertise in more modern frameworks.

JPHP is primarily used to build cross-platform desktop games, and its cross-platform nature lends itself well to malware.

Other corners of the cyber security industry have noted a rise in threat actors using Google’s cross-platform Go language to design ransomware for maximum impact.

Coder also used a “niche” Russian integrated developer environment (IDE) in order to write the RAT. Its GitHub page indicates that the IDE is still in its beta stage of development but has been used to build a small number of other malware strains in years gone by.

Researchers also noted that the language choice used, coupled with a “bizarrely non-functional” infection counter built into the RAT’s user interface, which displays inaccurate data to make it appear more popular, points to a novice actor.

“While the author’s apparent inexperience might make this malicious tool seem less appealing, some could view it as an opportunity,” said the researchers. “More experienced threat actors might see this inexperience as a selling point, as the author seems to be putting in a lot of time and effort to please their customers.”

Marketing and distribution

The RAT is officially hosted only on the lolz[.]guru Russian hacking forum, researchers said, where there is a dedicated section of the site for DCRat including support topics reserved only for registered users. Pre-sales queries are also handled on the forum.

Like many malware strains, the distribution is also common on Discord and Telegram channels. The RAT has a dedicated Telegram channel, too, with more than 2,000 subscribers keeping up-to-date on new builds and general news related to the tool.

Researchers also spotted two dedicated Telegram bots designed to handle sales of the RAT – one for processing sales and another to deal with technical support.

Coder occasionally offers limited-time discounts for DCRat but beyond the £ 5 two-month license, other prices are £ 17 for a year-long license and around £ 32 for lifetime access.

© Dennis Publishing

Read More:

(function(d, s, id) {var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = “//connect.facebook.net/en_US/all.js#xfbml=1”; fjs.parentNode.insertBefore(js, fjs); }(document, ‘script’, ‘facebook-jssdk’));

Original Article reposted fromSource link

Disclaimer: The website autopost contents from credible news sources and we are not the original creators. If we Have added some content that belongs to you or your organization by mistake, We are sorry for that. We apologize for that and assure you that this won’t be repeated in future. If you are the rightful owner of the content used in our Website, please mail us with your Name, Organization Name, Contact Details, Copyright infringing URL and Copyright Proof (URL or Legal Document) aT spacksdigital @ gmail.com

I assure you that, I will remove the infringing content Within 48 Hours.

Leave a Reply

Your email address will not be published.

World News

Подоляк: в Донбассе должны забыть слово "русские"

Soviets Gloves Offices prefecture Ukraine Владимира Зеленского Михаил Подоляк rickshaw search results “Russian” in Donbasse and карьковской области. At the end of the day, I was very quick to say, “I will do my best”. “З за то, чтобы в Харьковской области вообще забыли слово” усусские “. As a result of search engine optimization, the […]

Read More
World News

Nitschke to take an 'if it's not broke, don't fix it' approach, in new era for Australian women's cricket team

It was announced this week that Matthew Mott would leave his long-standing role with the national women’s side to take charge of England’s men’s white-ball prospects. The news meant assistant Shelley Nitschke will take over for the interim, as the world’s number one side prepares to head to the UK for a T20 International tri-series […]

Read More
World News

Labor promises urgent care clinic for Canberra's southside

The clinic would provide care for non-life-threatening injuries seven days a week, from at least 8am to 10pm. Original Article reposted fromSource link Disclaimer: The website autopost contents from credible news sources and we are not the original creators. If we Have added some content that belongs to you or your organization by mistake, We […]

Read More