Researchers from ANY.RUN reported that a wave of DCRat malware is currently circulating in the cybercriminal underground, offering a wide range of harmful functions to potential buyers for the bargain price of $5. The detailed report provided by ANY.RUN delves into the distribution, dynamic, and static analysis of DCRat, also known as Dark Crystal RAT, which serves as both a Remote Access Trojan (RAT) and an information stealer.
DCRat’s adaptable modular architecture allows cybercriminals to customize and mutate the malware in order to evade detection based on signatures, making it a valuable tool for threat actors ranging from amateurs to organized hacking groups. The low cost of DCRat membership has made it accessible to a wide range of potential users in the cybercriminal community.
The ANY.RUN platform offers malware analysts, SOC (Security Operations Center) teams, and DFIR (Digital Forensics and Incident Response) experts the opportunity to investigate DCRat malware files, analyze network activity, examine modules, and scrutinize registry actions using their malware sandbox. This tool provides a cloud-based environment for analyzing both Windows and Linux-based malware samples, allowing cybersecurity professionals to simulate different scenarios and gain insights into malware behavior to enhance their overall cybersecurity strategies.
Additionally, ANY.RUN’s Threat Intelligence Lookup platform aids security researchers in accessing relevant threat data gleaned from sandbox tasks conducted on the ANY.RUN platform. This feature assists analysts in identifying potential threats and mapping malicious actions to Tactics, Techniques, and Procedures (TTPs) swiftly and effectively within an interactive sandbox environment.
The infection flow of DCRat malware has been traced to its distribution via a Telegram group that operates on a subscription model, offering prices ranging from $5 for a two-month membership to $39 for a lifetime subscription. The communication between DCRat sellers and buyers occurs exclusively through the Telegram platform, while crypto payments made to burner wallets are the only accepted form of transaction. To further anonymize transactions, the DCRat group uses the crystalpay[.]io platform.
As of January 18, 2024, the ANY.RUN Malware Trends Tracker ranks DCRat as the 9th most prevalent form of malware, signaling its increasing popularity within the cybercriminal community. The distribution of DCRat through a Telegram bot that provides support and facilitates transactions via the crystalpay[.]io payment platform underscores the operational security (OPSEC) measures taken by the DCRat team to protect their operations.
Furthermore, the DCRat Malware Dynamic Analysis conducted within the ANY.RUN platform reveals that the malware is concealed within a password-protected Self-Extracting Archive (SFX) file to bypass detection. Dynamic analysis also uncovers the malware’s behavior, which includes the execution of a digitally signed executable file disguised as a printer driver and the deployment of multiple executables to ensure persistence on infected systems.
Static analysis of DCRat provides insights into the malware’s functions, Indicators of Compromise (IOCs), and configuration details. Various tools such as Detect It Easy (DIE) and decompilers like dnSpy or ILSpy for .NET applications are used to deobfuscate the executable and understand the operational logic of the malware. Additionally, the analysis recommends using Flare FLOSS for extracting strings from binaries to unveil hidden information and identify stolen data.
Overall, the in-depth analysis of DCRat within the ANY.RUN platform aids cybersecurity professionals in mapping the malware’s tactics, techniques, and procedures (TTPs) to the MITRE ATT&CK framework, enabling quick threat identification and enhancing cybersecurity defense strategies. The interactive cybersecurity service provided by ANY.RUN caters to over 400,000 security experts, empowering them to combat digital threats effectively through the platform’s cloud-based malware sandbox.
Cybersecurity professionals are encouraged to leverage the full analysis available on ANY.RUN to gain a comprehensive understanding of DCRat’s capabilities and bolster their defenses against this pervasive malware threat. ANY.RUN remains committed to providing cutting-edge analysis tools to assist security specialists in combating evolving digital threats and safeguarding critical systems and data.