Low-cost RAT is a surprisingly effective tool for hackers, BlackBerry researchers say

One of the reasons the number of cyberattacks keeps rising is because the cost of hacking tools to threat actors keeps dropping. Software-as-a-service offers are common, but some rogue developers keep the price of their tools low.

One of them, according to BlackBerry researchers, is a cheap Remote Access Trojan (RAT) that has been sold mainly on Russian-language underground forums for more than two years. Called DarkCrystal RAT (or DCRat for short), it’s a “surprisingly effective homemade tool for opening backdoors on a budget,” they said.

“DCRat is one of the cheapest commercial RATs we have ever come across”, the researchers said in a blog posted on Monday. “The price of this backdoor starts at 500 RUB (less than 6 USD) for a two-month subscription, and sometimes drops even more during special promotions. No wonder it’s so popular with professional threat actors as well as script kiddies.

The blog is an informational document about the Trojan, which includes details and indicators of compromise that threat hunters might find useful.

DCRat appears to have been developed and maintained by a single person under the pseudonyms “boldenis44”, “crystalcoder” and Кодер (“Coder”), the researchers said.

It includes a keylogger and can also steal browser cookies, passwords stored in the browser, form content stored in the browser, credit cards stored (via Windows DPAPI and Chrome SQLite database) , clipboard contents, Discord tokens, etc. There are also plugins available that enable data exfiltration/credential theft, system manipulation, and cryptocurrency mining.

It also includes what BlackBerry calls primitive multithreaded code to perform various forms of denial of service attacks – including HTTP(S) POST, UDP, and TCP – on a specific host and endpoint combination.

DCRat’s modular architecture and bespoke plug-in framework make it a very flexible option, the researchers say, useful for a range of nefarious uses. This includes monitoring, reconnaissance, information theft, DDoS attacks, as well as dynamic code execution in a variety of different languages. Affiliates can generate their own client plugins, which can be downloaded and used by subscribers.

The DCRat product itself consists of three components:

• a thief/client executable;
• a single PHP page, serving as a command and control (C2) endpoint/interface;
• an administrative tool. The administration tool is a self-contained executable written in the JPHP programming language, an obscure implementation of PHP which runs on a Java virtual machine.

The admin tool and backdoor/client are regularly updated with bugfixes and new features.

Over the past few months, researchers have often seen DCRat clients deployed with the use of Cobalt Strike Tags through the Prometheus TDS (traffic directing system). Prometheus is a subscription-based malware service that has been used in many high-profile attacks, the blog says, including campaigns against US government institutions in 2021.

“The biggest and most visible threat groups might have their names in the spotlight, but it’s not necessarily the cybercriminals keeping security professionals awake at night,” BlackBerry said. “Disbelievers who have too much free time can often cause so much hassle.”