IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Lone Russian RAT operator rivals large gangs with £5 "passion project"

Researchers say the lone actor's success speaks to the growing complexity of the underground malware market

A lone Russian cyber criminal is achieving similar levels of success as massive organised cyber crime groups by selling a custom commercial remote access Trojan (RAT) for relative pennies.

Tracking the lone actor since 2018, the BlackBerry ThreatVector team has revelead this individual appears to have built and maintained the DarkCrystal RAT (DCRat) by themselves. They operate under the known aliases boldenis44, crystalcoder, and Кодер (‘Coder’).

DCRat is mainly sold on underground Russian forums, and researchers note that due to the dramtically low price of the tool – £5 for a two-month subscription, a fraction of the price of commercial rivals – that it could feasibly be a simple “passion project” for the actor.

“Unlike the well-funded, massive Russian threat groups crafting custom malware to attack universities, hospitals, small businesses and more, this RAT appears to be the work of a lone actor, offering a surprisingly effective homemade tool for opening backdoors on a budget,” said BlackBerry ThreatVector in a blog post.

Given the price of DCRat, which is one of the cheapest commercial RATs researchers have ever encountered, the tool has proven popular with both professional threat actors as well as inexperienced “script kiddies”.

Researchers also noted that DCRat appears to be under active development. New features and bug fixes are regularly pushed to the administrator tool, which is one of the three key components, joining a stealer/client executable and a single PHP page serving as C2 endpoint.

Among the main capabilities of the RAT were surveillance, reconnaissance, information theft, DDoS attacks, and code execution.

“Niche” development

Coder's choice of language was a focal point of BlackBerry ThreatVector’s report since its administrator tool was written in JPHP – an “obscure” implementation of PHP that runs on a Java virtual machine (VM).

Researchers said the threat actor could have used the unpopular language as a way to evade detection, or they simply didn't have expertise in more modern frameworks.

JPHP is primarily used to build cross-platform desktop games, and its cross-platform nature lends itself well to malware.

Other corners of the cyber security industry have noted a rise in threat actors using Google’s cross-platform Go language to design ransomware for maximum impact.

Related Resource

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Yellow whitepaper cover with two flying robots, with desktop computers inside their headsFree Download

Coder also used a “niche” Russian integrated developer environment (IDE) in order to write the RAT. Its GitHub page indicates that the IDE is still in its beta stage of development but has been used to build a small number of other malware strains in years gone by.

Researchers also noted that the language choice used, coupled with a “bizarrely non-functional” infection counter built into the RAT’s user interface, which displays inaccurate data to make it appear more popular, points to a novice actor.

“While the author’s apparent inexperience might make this malicious tool seem less appealing, some could view it as an opportunity,” said the researchers. “More experienced threat actors might see this inexperience as a selling point, as the author seems to be putting in a lot of time and effort to please their customers.”

Marketing and distribution

The RAT is officially hosted only on the lolz[.]guru Russian hacking forum, researchers said, where there is a dedicated section of the site for DCRat including support topics reserved only for registered users. Pre-sales queries are also handled on the forum.

Like many malware strains, the distribution is also common on Discord and Telegram channels. The RAT has a dedicated Telegram channel, too, with more than 2,000 subscribers keeping up-to-date on new builds and general news related to the tool.

Researchers also spotted two dedicated Telegram bots designed to handle sales of the RAT – one for processing sales and another to deal with technical support. 

Coder occasionally offers limited-time discounts for DCRat but beyond the £5 two-month license, other prices are £17 for a year-long license and around £32 for lifetime access.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022