Dirty Deeds Done Dirt Cheap: Russian RAT Offers Backdoor Bargains

In the murky underworld of Russian crimeware, DCRat seems to be a bit of a dark horse. Unlike the well-funded, massive Russian threat groups crafting custom malware to attack universities, hospitals, small businesses and more, this remote access Trojan (RAT) appears to be the work of a lone actor, offering a surprisingly effective homemade tool for opening backdoors on a budget. In fact, this threat actor's commercial RAT sells at a fraction of the standard price such tools command on Russian underground forums.

DCRat (also known as DarkCrystal RAT) is a commercial Russian backdoor that was first released in 2018, before being redesigned and relaunched a year later. Notably, this threat appears to have been developed and maintained by a single person going by the pseudonyms of "boldenis44," "crystalcoder," and Кодер ("Coder").

Sold predominantly on Russian underground forums, DCRat is one of the cheapest commercial RATs we've ever come across. The price for this backdoor starts at 500 RUB (less than 5 GBP/US$6) for a two-month subscription, and occasionally dips even lower during special promotions. No wonder it's so popular with professional threat actors as well as script kiddies.

This price range is a curious feature, as it makes it seem like the author is not particularly profit-driven. It could be that they're simply casting a wide net, trying to get a little money from a lot of maliciously minded people. It could also be that they have an alternative source of funding, or perhaps this is a passion project rather than their main source of income.

Peering Deeper into the Dark Crystal

DCRat's modular architecture and bespoke plugin framework make it a very flexible option, helpful for a range of nefarious uses. This includes surveillance, reconnaissance, information theft, DDoS attacks, as well as dynamic code execution in a variety of different languages.

The DCRat product itself consists of three components:

• A stealer/client executable
• A single PHP page, serving as the command-and-control (C2) endpoint/interface
  
• An administrator tool
  

The administrator tool is a standalone executable written in the JPHP programming language, an obscure implementation of PHP that runs on a Java virtual machine. As with the examples discussed in our previous whitepaper discussing exotic programming languages used by malware writers, JPHP offers some potential benefits for making mischief.

As a programming language, JPHP's target audience is primarily entry-level developers who make cross-platform desktop games. The ease of use, as well as the portability of its code, suits this purpose well. The malware author may have chosen this format because it's not particularly well-known, or they might have lacked programming skills in other, more mainstream languages.

According to the JPHP documentation, this implementation "compiles PHP sources to Java Virtual Machine (JVM) bytecode, which can then execute on the JVM." The JPHP project also provides a dedicated, Russian-language integrated development environment (IDE) called DevelNext. This IDE was used to develop the DCRat administrator tool, as well as some of the early versions of the DCRat client.

Location data available in public GitHub profiles indicates the core contribution team behind JPHP are overwhelmingly based in the Commonwealth of Independent States (CIS), an intergovernmental organization made up of twelve post-Soviet countries. The DCRat author's decision to use JPHP may have stemmed from either an assumed level of trustworthiness, or simply from a belief that obtaining support for issues or enhancements related to the JPHP framework would have been easier to establish due to their shared familiarity with the Russian language.

Examining the DCRat Build

The DCRat client binary - meant for delivering to victim's machines - is written in .NET. Earlier versions were written in JPHP, like the administrator tool. This was likely done to streamline and optimize the client component. JPHP is rather slow, as it runs on the JVM. And the distributed malware is much smaller, since it doesn't have to include all the JPHP libraries.

DCRat is built around a modular architecture that incorporates a plugin framework. Affiliates can generate their own client plugins, which can be downloaded and used by subscribers. (We've included a list of the current plugins in the "Plugins" section, later on in this blog.)

The RAT currently seems to be under active development. The administrator tool and the backdoor/client are regularly updated with bug fixes and new features; the same applies to officially released plugins.

During recent months, we've often seen DCRat clients being deployed with the use of Cobalt Strike beacons through the Prometheus TDS (traffic direction system). Prometheus is a subscription-based malware service that has been used in many high-profile attacks, including campaigns against U.S. government institutions in 2021.

A detailed analysis of the DCRat client was published by Mandiant in May 2020. Just days after this report was released, the malware author shifted distribution of the RAT to a new domain. It's clear that cybercriminals are becoming more aware of publicity from media and the security community, and they're getting used to making swift changes in response to this unwanted exposure.

It's worth noting that there is a second open-source RAT that also goes by the name DcRAT, which can be found in GitHub repository of user "qwqdanchun." This is most likely a completely unrelated project. While it doesn't bear many code similarities to DCRat, it may have been an inspiration for - or inspired by - the threat.

DCRat Offering

The DCRat bundle, its plugins, plugin development framework, and additional tools are currently hosted on crystalfiles[.]ru. These components have been moved there from their previous location at dcrat[.]ru. The crystalfiles website features a simple interface, as seen in Figure 1 below, and it serves only as the download point for the RAT. It has no additional information or resources for potential or existing clients.

Public link

Please use the above public link if you want to share this noodl on another website.