DarkCrystal | |
Type of Malware | Remote Access Trojan |
Country of Origin | Russia |
Date of initial activity | 2018 |
Addittional Names | DCRat |
Associated Groups | boldenis44, crystalcoder, and qwqdanchun |
Motivation | Cybersepionage |
Attack vectors | Phishing Emails |
Targeted systems | Windows |
Variants | DCRat (Dark Crystal) Base Version: The original version of the malware that includes basic remote access and data-stealing functionalities. DCRat Pro: An enhanced version with additional features and capabilities for advanced users, offering more complex remote control and data exfiltration options. DCRat Reloaded: A variant with updated modules and improved obfuscation techniques designed to evade detection by modern security solutions. DCRat 2.0: An iteration of the original DCRat, incorporating new modules and functionalities, often with improved capabilities for persistence and command execution. DCRat Light: A streamlined version of DCRat with a reduced feature set, intended for less complex attacks or as a more accessible option for lower-tier threat actors. |
Tools | DCRat Studio: An integrated development environment (IDE) used for creating and managing DCRat modules. It allows users to develop and customize functionality within the malware. Keylogger.exe: A module that captures and logs keystrokes typed by the victim, which is then sent to the command-and-control (C2) server. AudioCapture: Utilizes the NAudio .NET library to record audio from the victim’s microphone. ChromeStealer: Extracts session cookies and other sensitive data from Google Chrome, potentially allowing attackers to hijack user accounts. Downloader: A component used to fetch and execute additional payloads or malware. SystemInfo: Collects and sends information about the infected system, such as hostname, installed applications, and system configuration. FileExfiltrator: A tool for copying and exfiltrating files from the victim’s system. Screenshotter: Captures screenshots of the victim’s desktop and sends them to the C2 server. FileManager: Allows attackers to browse and manipulate files on the infected system. |
Overview
In the ever-evolving world of cybersecurity threats, DCRat, also known as Dark Crystal, stands out as a formidable and adaptable Remote Access Trojan (RAT). First identified in 2018, DCRat operates as a Malware-as-a-Service (MaaS), offering an array of functionalities through a modular architecture. This malware is notable for its ease of distribution and use, primarily targeting Windows systems to steal sensitive information, execute remote commands, and deploy additional malicious payloads. The flexibility and extensibility of DCRat are facilitated by its integrated development environment, DCRat Studio, which allows users to create and customize modules for specific operational needs.
DCRat’s distribution largely hinges on Russian cybercrime forums, where it is marketed for a modest fee, making it accessible to a broad spectrum of threat actors. The malware’s affordability, combined with its extensive feature set, has cemented its use among both sophisticated advanced persistent threat (APT) groups and less experienced cybercriminals. Despite a 2022 announcement by its developer about the discontinuation of DCRat and the transition to a new, private source code, the malware remains prevalent. It has been particularly active in high-profile campaigns, including those targeting Ukrainian entities amidst the ongoing conflict with Russia, as well as various sectors critical to global infrastructure.
Targets
Government Entities: DCRat has been used in attacks against government agencies, particularly in geopolitical conflicts such as the Russian-Ukraine war, where Ukrainian governmental entities were specifically targeted.
Financial Sector: The malware has been employed in campaigns against financial institutions, aiming to steal sensitive financial information and credentials.
Energy Sector: DCRat has targeted organizations within the energy sector, including both traditional energy companies and those involved in critical infrastructure.
Aerospace Industry: Aerospace companies have been targeted to gain access to sensitive information and intellectual property.
Chemical Supply Companies: Companies within the chemical industry have also been victims, reflecting the malware’s interest in industries with valuable or sensitive data.
Telecommunications: Infections have occurred within telecommunications companies, likely aiming to disrupt services or gather sensitive communications data.
Utilities: Utility companies have been targeted, particularly during periods of heightened geopolitical tension, to disrupt services or extract valuable operational data.
Corporate Enterprises: Large enterprises across various industries have been affected, reflecting the malware’s use in broad-based corporate espionage and data theft.
How they operate
At its core, DCRat is a .NET-based executable crafted to exploit vulnerabilities in Windows systems. The malware’s operation begins with its distribution, primarily through phishing emails, pirated software, or cracked applications. Once a victim’s system is compromised, DCRat relies on its command-and-control (C2) infrastructure to communicate with the attacker. This communication is facilitated through backend servers, where the attacker can remotely manage the infected system and deploy additional modules.
One of DCRat’s distinguishing features is its modular framework. The malware’s architecture consists of various modules, each serving specific functions and deployed as separate executables. These modules are predominantly written in C# and include tools such as keyloggers, screenshot capture utilities, and credential stealers. For instance, the keylogger.exe module records keystrokes, sending this data back to the C2 server for further analysis. Other modules utilize the open-source NAudio .NET library to capture audio from the victim’s microphone, or steal session cookies from browsers to facilitate account hijacking.
The payload of DCRat is designed to load shared libraries at runtime, such as kernel32.dll, which supports its core functionalities. To obscure its operations and evade detection, DCRat often employs obfuscation techniques. Enigma Protector is frequently used to protect the payload, making reverse engineering and analysis more challenging for security professionals.
DCRat’s capabilities extend to extensive data collection and manipulation. It can log and exfiltrate keystrokes, capture screenshots, and steal information from web browsers, including session cookies and auto-fill credentials. Additionally, the RAT can gather system information such as hostname, installed applications, and user settings. This extensive data collection not only compromises sensitive information but also allows attackers to monitor and control the victim’s system in real-time.
To avoid detection and maintain persistence, DCRat employs various defense evasion techniques. It uses randomly named files and processes to blend in with legitimate system activities. Moreover, DCRat can execute commands and scripts via the Command and Scripting Interpreter technique, further enhancing its stealth capabilities. The malware also has the ability to detect and evade virtual environments and sandboxes used for malware analysis.
MITRE Tactics and Techniques
Initial Access (TA0001):
Phishing (T1566): DCRat is often distributed via phishing emails.
Exploit Public-Facing Application (T1190): It can be delivered through compromised software or cracked applications.
Execution (TA0002):
Command and Scripting Interpreter (T1059): DCRat can execute commands and scripts on the infected system.
Persistence (TA0003):
Registry Run Keys/Startup Folder (T1547.001): It can use registry entries to ensure it runs on startup.
Privilege Escalation (TA0004):
Abuse Elevation Control Mechanism (T1548): May exploit vulnerabilities or misconfigurations to escalate privileges.
Defense Evasion (TA0005):
Obfuscated Files or Information (T1027): Uses obfuscation techniques to avoid detection.
Virtualization/Sandbox Evasion (T1497): Includes methods to detect and evade analysis environments.
Credential Access (TA0006):
Credential Dumping (T1003): Can collect credentials from various sources.
Input Capture (T1056): Implements keylogging to capture user input.
Discovery (TA0007):
System Information Discovery (T1082): Gathers information about the victim’s system.
Lateral Movement (TA0008):
Internal Spearphishing (T1534): Used to propagate within networks.
Collection (TA0009):
Data from Information Repositories (T1213): Extracts data from files and applications.
Screen Capture (T1113): Takes screenshots of the victim’s desktop.
Exfiltration (TA0010):
Exfiltration Over Command and Control Channel (T1041): Sends collected data to the C2 server.
Impact (TA0005):
Data Manipulation (T1565): Can manipulate or corrupt data on the victim’s system.
Impact / Significant Attacks
Russian-Ukrainian Conflict Attacks: DCRat was extensively used by Russian threat actors to target Ukrainian entities, including utility and telecommunication companies, during the Russian-Ukrainian war. It was delivered through pirated software and sophisticated phishing campaigns.
Energy and Financial Sector Breaches: DCRat was utilized in long-term campaigns against large enterprises in the global energy and financial sectors, as well as critical infrastructure, aerospace, and chemical supply companies.
COVID-19 Themed Phishing Attacks: The malware was employed in phishing campaigns during the COVID-19 pandemic, exploiting pandemic-related themes to lure victims into downloading malicious payloads.
Targeted Attacks Against Government Entities: DCRat has been used in targeted attacks against government institutions and high-profile organizations, leveraging its capabilities for espionage and data exfiltration.
Exploitation of Vulnerable Applications: It was used in attacks leveraging vulnerabilities in widely-used applications and software, allowing attackers to gain unauthorized access to systems and data.
