Lone Russian RAT operator rivals big gangs with £5 ‘passion project’


A lone Russian cybercriminal achieves success similar to that of massive organized cybercrime groups by selling a custom commercial Remote Access Trojan (RAT) for relatively pennies.

The BlackBerry ThreatVector team has been tracking the lone perpetrator since 2018 and has revealed that this individual appears to have built and maintained the DarkCrystal RAT (DCRat) himself. They operate under the well-known aliases boldenis44, crystalcoder and Кодер (“Coder”).

DCRat is mostly sold on Russian underground forums, and researchers note that due to the tool’s drastically low price – £5 for a two-month subscription, a fraction of the price of commercial competitors – it could well be an easy “passion project” for the actor .

“Unlike the well-funded, massive Russian threat groups that develop custom malware to target universities, hospitals, small businesses and more, this RAT appears to be the work of a single actor using a surprisingly effective homemade backdoor opening tool offers on a small budget. said BlackBerry ThreatVector in one blog entry.

Given the price of DCRat, one of the cheapest commercial RATs researchers have ever seen, the tool has proven popular with both professional threat actors and novice “script kiddies“.

Researchers also noted that DCRat appears to be under active development. New features and bug fixes are regularly pushed to the admin tool, which is one of the three key components, connecting a stealer/client executable and a single PHP page that serves as the C2 endpoint.

The RAT’s primary capabilities included surveillance, reconnaissance, information theft, DDoS attacks, and code execution.

“Niche” Development

Coder’s choice of language was the focus of BlackBerry ThreatVector’s report, as its admin tool was written in JPHP – an “obscure” implementation of PHP running on a Java Virtual Machine (VM).

The researchers said the attacker could have used the unpopular language to evade detection or simply had no experience with more modern frameworks.

JPHP is mainly used for building cross-platform desktop games, and its cross-platform nature lends itself well to malware.

Other corners of the cybersecurity industry have noticed a proliferation of threat actors using Google’s cross-platform Go language to engineer ransomware for maximum impact.

Coder also used a Russian “niche” integrated development environment (IDE) to write the RAT. The GitHub page notes that the IDE is still in beta development, but has been used to build a small number of other malware strains over the past several years.

The researchers also noted that the language selection used, coupled with a “bizarrely non-working” infection counter built into the RAT’s user interface, which displays inaccurate data to make it appear more popular, points to an inexperienced actor.

“While the author’s apparent inexperience makes this malicious tool less attractive, some might see it as an opportunity,” the researchers said. “More experienced threat actors might see this inexperience as a selling point, as the author seems to put a lot of time and effort into keeping their customers happy.”

Marketing and Sales

The RAT is officially only hosted on the Lolz[.]Guru Russian Hacking Forum, researchers said, where there is a special section of the site for DCRat, including support topics reserved for registered users only. Questions before the purchase are also dealt with in the forum.

Like many malware strains, distribution is also common on Discord and Telegram channels. The RAT also has its own Telegram channel with more than 2,000 subscribers who keep up to date with new builds and general news related to the tool.

The researchers also discovered two dedicated Telegram bots designed to sell the RAT – one for processing sales and one for technical support.

Coder occasionally offers limited-time discounts for DCRat, but beyond the £5 two-month license, other prices range from £17 for a one-year license and around £32 for lifetime access.

Featured Resources

How to hold more productive meetings

Tips and tricks to get the most out of your meetings

Free download

Enable the future of work with embedded real-time communications

A new dimension of human interaction is finding its way into digital work

Free download

How to do hybrid work right

Overcoming challenges in the transition to hybrid work

look now

HCI 2.0 from HPE: How it can help your business succeed

Why SMBs need to accelerate digital transformation with HCI

Free download


About Author

Comments are closed.