DcRat Malware (DarkCrystal Remote Access Trojan)

DcRat, also known as DarkCrystal, represents a Remote Access Trojan (RAT) that enables remote access and control over an infected device, allowing manipulation of machines in various ways and possessing diverse functionalities.

DcRat, a highly dangerous software, poses a significant threat to device and user safety.

It is better to prevent, than repair and repent!

When we talk about the intrusion of unfamiliar programs into your computer’s work, the proverb “Forewarned is forearmed” describes the situation as accurately as possible. Gridinsoft Anti-Malware is exactly the tool that is always useful to have in your armory: fast, efficient, up-to-date. It is appropriate to use it as an emergency help at the slightest suspicion of infection.

DOWNLOAD NOW

Gridinsoft Anti-Malware 6-day trial available.
EULA | Privacy Policy | 10% Off Coupon

Subscribe to our Telegram channel to be the first to know about news and our exclusive materials on information security.

About DcRat Malware

The DarkCrystal RAT stands as a highly functional malicious program with the ability to manipulate the hardware, software, and data of the compromised computer.

In terms of hardware manipulation, it can record audio through integrated/connected microphones and capture video/stills using webcams.

This malware can effectively manage files and folders by renaming, moving, deleting them, and creating new ones. It can also exfiltrate and infiltrate files, potentially holding sensitive content for ransom. Additionally, DarkCrystal can execute/run files and terminate running processes.

Given its ability to infiltrate and execute files, this RAT can potentially cause chain infections, thereby infecting the system with additional malware. Moreover, the Trojan can capture screenshots, rotate the screen, alter the desktop wallpaper, and hide the taskbar and desktop icons.

It can also reboot/restart and shut down the system, log off the current user, and create new user accounts. DarkCrystal primarily targets specific browsers.

It manipulates these browsers by opening websites and extracting stored data, such as browsing history, browser cookies, saved usernames, and passwords. Another data-stealing capability of DarkCrystal is keylogging, where it records keystrokes.

The Potential Damage Caused by DarkCrystal RAT

Typically, cyber criminals exploit saved log-in credentials and keylogging to target email, social media, social networking, messenger, data storage, e-commerce, online money transfers, and banking accounts.

Hijacked communication and social accounts might serve as a means to spread malware or request loans from contacts and friends, impersonating the real owner.

Accounts associated with financial information are particularly valuable, as criminals can perform fraudulent transactions and online purchases. In summary, DarkCrystal infections can lead to financial losses, severe privacy concerns, and identity theft.

If there is suspicion or knowledge that the system is already infected with the DarkCrystal RAT or other malicious software, immediate action should be taken using Gridinsoft Anti-Malware to eliminate it.

Diving Deeper into DcRat

The flexible nature of DarkCrystal (dcRAT) stems from its modular architecture and customized plugin framework, which allows it to serve various malicious purposes. These include surveillance, reconnaissance, information theft, launching DDoS attacks, and executing dynamic code in different programming languages.

The DarkCrystal RAT consists of three key components:

• A stealer/client executable
• A PHP-based command-and-control (C2) endpoint/interface in the form of a single PHP page
• An administrator tool

The administrator tool is a standalone executable written in JPHP, an obscure implementation of PHP that operates on the Java Virtual Machine (JVM). Choosing JPHP as the programming language provides certain advantages, especially considering its intended audience of entry-level developers focused on cross-platform desktop games. The simplicity and portability of the JPHP code align well with these objectives. It is possible that the malware author opted for JPHP due to its lesser-known status or a lack of proficiency in more mainstream programming languages.

According to JPHP’s documentation, this implementation “compiles PHP sources into Java Virtual Machine (JVM) bytecode, allowing execution on the JVM.” The JPHP project also offers a dedicated integrated development environment (IDE) called DevelNext, primarily used for developing the DCRat administrator tool and earlier versions of the DCRat client.

Public GitHub profiles reveal that the core contributors to JPHP are predominantly located in the Commonwealth of Independent States (CIS), an intergovernmental organization comprising twelve post-Soviet countries. The decision to employ JPHP in DarkCrystal may have been influenced by a perceived level of trustworthiness associated with the language or the assumption that obtaining support for JPHP-related issues or enhancements would be more accessible given the shared familiarity with the Russian language among the development community.

Diving Deeper into DcRat

DcRat initiates its operation by executing an executable file, usually located in the user’s temporary folder:

C:\Users\Admin\AppData\Local\Temp\setup.exe

Upon execution, it creates copies of itself in various locations within the file system to ensure persistence:

C:\Users\Admin\Documents\GuardFox\3WsFBcHhVZi2NR4XfyiVNnrF.exe
C:\Users\Admin\Documents\GuardFox\nQ7K3hGgBV7w3l3GcOPZcQfA.exe

These copies are then executed, creating multiple processes that complicate the process of detection and removal of the malicious software.

Additionally, DcRat employs various techniques to spread and infect other systems:

• It may use phishing emails with malicious attachments to lure victims into executing the payload.
• Exploitation of vulnerabilities in software or the operating system can allow DcRat to spread without user interaction.
• Removable drives and network shares can be used to propagate the malware to other machines within the network.

By leveraging these methods, DcRat ensures its widespread distribution and enhances its chances of infecting multiple systems.

An In-Depth Look at the DcRat Build

The client binary of DCRat, intended for deployment on victim machines, is written in .NET. Earlier versions were developed in JPHP, similar to the administrator tool, but the transition to .NET was likely motivated by the desire for streamlined and optimized client performance. JPHP, running on the JVM, tends to be slower, and utilizing .NET allows for a smaller distributed malware package without the need to include all the JPHP libraries.

DCRat employs a modular architecture that incorporates a plugin framework, enabling affiliates to create and distribute their client plugins for use by subscribers. A list of the current plugins can be found in the “Plugins” section later in this blog.

The RAT continues to be actively developed, with regular updates to the administrator tool, the backdoor/client, and officially released plugins, featuring bug fixes and new features.

Recent observations reveal the deployment of DCRat clients using Cobalt Strike beacons through the Prometheus TDS (traffic direction system) in many instances. Prometheus, a subscription-based malware service, has been involved in numerous high-profile attacks, including campaigns against U.S. government institutions in 2021.

Download links for DCRat components at crystalfiles[.]ru

A comprehensive analysis of the DCRat client was published by Mandiant in May 2020. Shortly after the report’s release, the malware author shifted the distribution of the RAT to a new domain, demonstrating an awareness among cybercriminals of media and security community attention and the ability to swiftly adapt to mitigate unwanted exposure.

It’s important to note that there is a separate open-source RAT also named DcRAT, found in the GitHub repository of user “qwqdanchun.” While it may not share significant code similarities with DCRat, it could have served as an inspiration for or been inspired by the threat, although they are likely unrelated projects.

How to remove the DarkCrystal from my PC?

DarkCrystal malware is extremely hard to erase manually. It puts its data in numerous locations throughout the disk and can restore itself from one of the parts. Additionally, a lot of alterations in the Windows registry, networking configurations, and Group Policies are fairly hard to discover and return to the original. It is better to use a special program – exactly, an anti-malware app. GridinSoft Anti-Malware will fit the most ideal for virus removal objectives.

Why GridinSoft Anti-Malware? It is pretty lightweight and has its databases updated nearly every hour. Moreover, it does not have such bugs and vulnerabilities as Microsoft Defender does. The combination of these aspects makes GridinSoft Anti-Malware ideal for removing malware of any type.

Remove the DarkCrystal with GridinSoft Anti-Malware

• Download and install GridinSoft Anti-Malware. After the installation, you will be offered to perform the Standard Scan. Approve this action.

• Standard scan checks the logical disk where the system files are stored, together with the files of programs you have already installed. The scan lasts up to 6 minutes.

• When the scan is over, you may choose the action for each detected virus. For all files of DarkCrystal, the default option is “Delete”. Press “Apply” to finish the malware removal.

Frequently Asked Questions (FAQ)