DCRat (Dark Crystal) Malware

DCRat (AKA Dark Crystal) is a modular remote access trojan (RAT) operated as a Malware-as-a-Service (MaaS) that was first observed in 2018 and has received continuous updates and new modules from both its lone original developer (known as boldenis44, crystalcoder, and qwqdanchun) and third-party affiliates. Notably, the malware strain has its integrated development environment (IDE) application named DCRat Studio for developing new modules that serve various functions, primarily stealing sensitive information, executing remote commands, and importing additional malware. 

DCRat is promoted and distributed primarily on Russian cybercrime forums, sold for approximately $7 for a two-month subscription, and leveraged by both apex APT and notice-level threat actors. In 2022 DCRat’s developer announced on their GitHub page that the strain would be discontinued, along with a link to its successor and a claim the new source code would remain private and not sold as a MaaS.

DCRat has been used extensively by Russian threat actors to target Ukraine during the Russian-Ukraine war and in long-term campaigns against large enterprise targets in the global energy and financial sectors, critical infrastructure, aerospace, and chemical supply companies. According to Ukraine’s Computer Emergency Response Team (CERT-UA), in 2022, Ukrainian utility and telecommunication companies were infected with DCRat via pirated software and sophisticated phishing campaigns leveraging real stolen email accounts of the Ukrainian government (.gov.ua) and well-spoofed knockoff accounts.

DCRat consists of a .net executable designed to exploit Windows systems, backend command-and-control (C2) infrastructure, and an administration tool for paid subscribers to log on, monitor, and control their infected bots remotely. As a RAT, DCRat does not include built-in methods for gaining initial access to a target system. Therefore, DCRat is deployed via first-stage attacks employing a wide array of tactics, including malspam, phishing, spear-phishing, and pirated (or “cracked”) commercial software such as rouge updaters and anti-virus products to ultimately fetch and execute DCRat’s .net payload on the victim’s computer. Once installed, the DCRat C2 administration allows attackers to upload modules to the infected host, execute commands remotely, and exfiltrate data.

DCRat uses a modular framework that deploys separate executables for each module, most of which are compiled .net binaries programmed in C#. For example, keylogger.exe records the user’s keystrokes and sends them back to the C2 server and admin panel. Other modules can leverage the open-source NAudio .net library to steal audio from the victim’s microphone, detect virtualization environments used to analyze malware and steal Chrome’s session cookies, allowing the attacker to hijack a victim’s Google account. DCRat also allows modules programmed in other languages, such as JavaScript.

DCRat’s payload loads shared libraries at run-time, such as kernel32.dll, to support its core functionality. Sometimes, DCRatl’s payload has been protected with Enigma Protector to obfuscate its content and prevent reverse engineering and analysis.

DCRat’s core functions include the following:

• Monitoring the infected host by logging and exfiltrating keystrokes and screenshots
• Stealing information from browsers, such as session cookies, auto-fill credentials, personal information, and credit card details
• Stealing credentials from popular FTP applications
• Copying and stealing the contents of the user’s clipboard
• Collecting system information such as hostname, usernames, language preference settings, and installed applications
• Exfiltating stolen information

The best way to avoid a DCRat infection is to be cautious when receiving suspicious emails, including not downloading attached files or visiting embedded links. It’s also important to only trusted and verified software sourced from official sources. Also, never install illegal (cracked) software or third-party updates as they are commonly used to distribute malware such as DCRat. Finally, use advanced cybersecurity products and ensure they are up to date. Following these precautions can significantly reduce the risk of a DCRat infection.

Some key tactics for preventing a DCRat attack include: 

• Consider user awareness training to educate personnel about phishing techniques and develop standard operating procedures (SOP) for handling suspicious emails and documents
• Recognize the increased risk that encrypted files present and verify the context of such documents thoroughly before opening them
• Pay special attention to warning notifications in email clients and Office applications that can alert you to suspicious contexts, such as files that have not been scanned for malware or contain VBA macros
• Ensure that only authorized, digitally signed software is installed on all endpoints and regularly scan for and block any unauthorized software from executing
• Install and configure advanced endpoint security products such as BlackBerry Cylance™ on all endpoints to detect indicators of compromise (IOCs) and take defensive action to block Trickbot payloads from executing