Read more: Boosty

• CryptoStealer Module: This module allows attackers to

access users' cryptocurrency wallets
• Dynamic Code Execution: DCRat can execute code in
multiple programming languages
• Crypto-Mining: Instances of DCRat deploying crypto-
mining software on victim endpoints have been
documented
• Delivery Methods: DCRat has been disseminated
through enticing adult content-themed baits, infected
files, and network propagation
• Evasion Techniques: DCRat has been observed to
evade sandbox environments that use fake internet to
spoof internet connection for malware analysis
• Persistence: DCRat has been found to exploit a zero-
day vulnerability in the Microsoft support diagnostic
tool (MSDT), CVE-2022-30190 (Follina), to maintain
persistence on the infected machine
As of 2023, DCRat has the following key features (full list):
• Information Theft
• Surveillance and Control
I. INTRODUCTION • Disruptive Attack Capabilities
DCRat, also known as Dark Crystal Rat, is a commercial • Modularity and Customization
backdoor that is predominantly sold on underground forums. It
has been around since 2018 and operates as a modular remote • System Interaction
access trojan (RAT) offered as a Malware-as-a-Service (MaaS).
The malware is designed to provide threat actors unauthorized • Administration and Control
access to systems by circumventing security measures. • Deployment and Distribution
In terms of pricing, DCRat is sold for approximately $7 for • Stealth and Evasion
a two-month subscription. Its one-month license goes for a mere
$5, while a lifetime use license costs $40. Despite its low cost, A. Information Theft
DCRat is a versatile and dangerous cybersecurity threat. • Information Theft: DCRat can steal sensitive data from
In 2022, DCRat’s developer announced on their GitHub victimized systems, including capturing screenshots,
page that the it would be discontinued, along with a link to its harvesting clipboard data
successor and a claim the new source code would remain private • Keylogging: It can log keystrokes to capture sensitive
and not sold. information like passwords
II. DCRAT FEATURES • Stealing Browser Data: DCRat can extract session
DCRat is a modular remote access trojan (RAT) with a range cookies, auto-fill credentials, personal information, and
of features that make it a versatile tool. credit card details from browsers
The DCRat product itself consists of three components: a • Clipboard Data Harvesting: It can copy and steal the
stealer/client executable, a single PHP page serving as the C2 contents of the user’s clipboard
endpoint/interface, and an administrator tool. It uses a modular
framework that deploys separate executables for each module, • Credential Theft: The malware can steal credentials
most of which are compiled .net binaries programmed in C#. from popular FTP applications and social media
accounts, particularly targeting Telegram and Discord
DCRat is capable of a range of nefarious uses, including
surveillance, reconnaissance, information theft, Distributed B. Surveillance and Control
Denial of Service (DDoS) attacks, and dynamic code execution • Screenshots: It can take screenshots to monitor user
in a variety of different languages. It can also steal credentials activity
used to login to social media accounts, specifically Telegram
and Discord. DCRat has been detected targeting Windows • System Information Collection: DCRat collects
systems, with a specific focus on bypassing security safeguards. system information such as CPU and GPU stats,
hostname, usernames, language preferences, and
As of 2023, DCRat has been updated with several new installed applications
capabilities and features:
 Read more: Boosty
C. Disruptive Attack Capabilities Once installed, the DCRat C2 administration allows
• DDoS Attacks: DCRat can launch Distributed Denial of attackers to upload modules to the infected host, execute
Service (DDoS) attacks against selected targets commands remotely, and exfiltrate data. DCRat uses a modular
framework that deploys separate executables for each module,
• Dynamic Code Execution: It offers the ability to most of which are compiled .net binaries programmed in C#.
execute code dynamically in multiple programming The malware is capable of stealing information from browsers,
languages such as session cookies, auto-fill credentials, personal
information, and credit card details. It can also monitor the
D. Modularity and Customization infected host by logging and exfiltrating keystrokes and
• Modular Architecture: DCRat uses a modular screenshots.
framework, deploying separate executables for each
module, most of which are compiled .NET binaries DCRat establishes a connection between the victim's device
programmed in C# and the attacker's device through a command-and-control (C2)
server. Once the malware is installed on the victim's device, it
• Plugin Framework: It has a plugin development connects back to the C2 server controlled by the attacker. This
framework that allows for the creation of new modules, server can send commands to the compromised device, allowing
enhancing its capabilities the attacker to access and modify data, steal sensitive
information, and ensure persistence by reconnecting to the C2
E. System Interaction server even after reboots or attempts to remove the malware.
• Persistence: DCRat can persist on compromised hosts
using techniques such as creating scheduled tasks, The most common lures used to distribute DCRat include:
Registry Run Keys, and Winlogon Autostart Registry • Adult Content-Themed Lures and Fake OnlyFans:
Keys DCRat has been distributed using explicit lures related
• Crypto-Mining: There have been instances where to OnlyFans pages and other adult content. Victims are
DCRat deployed crypto-mining software on victim tricked into downloading malicious files, often ZIP
endpoints archives, which contain the malware

F. Administration and Control • Phishing and Malspam: DCRat is also spread through
phishing emails and malspam campaigns, where victims
• C2 Administration: The malware includes a command- receive emails with malicious attachments or links that,
and-control (C2) administration interface that allows when opened, install the malware
attackers to upload modules, execute commands
remotely, and exfiltrate data • Network Propagation: The malware can spread
through network propagation, exploiting vulnerabilities
• Stealer/Client Executable: It consists of a .NET or using other methods to move laterally within a
executable designed to exploit Windows systems network and infect multiple devices
G. Deployment and Distribution
IV. DCRAT EVADE TECHNIQUES
• Malware-as-a-Service (MaaS): DCRat operates as a
MaaS, allowing it to be purchased and used by various DCRat employ several techniques to evade detection:
threat actors • Process Infiltration: DCRat rarely produces malicious
• Low-Cost Licenses: It is sold for approximately $7 for activity in its current process. Instead, it prefers to create
a two-month subscription, with other pricing options large process trees and infiltrate a harmless process at
available for longer-term use some point

H. Stealth and Evasion • Persistence Algorithm: DCRat can execute a

persistence algorithm to retain control over the system.
• Concealment: DCRat employs techniques to stay For instance, it can copy itself to a random running
undetectable, such as hiding its presence and disguising process and to the root directory. It can also create
its network traffic shortcuts to these copies in the user's Startup folder and
• Anti-Detection Features: Plugins are available that can add registry values that point to these shortcuts
resist running in a virtual machine, disable Windows • Delay Execution: DCRat can delay execution for a
Defender, and disable webcam lights on certain models period of time after the infection, which can help it
• Persistence Mechanisms: It can use techniques like evade immediate detection
creating scheduled tasks, Registry Run Keys (incl. • Obfuscation: DCRat's payload has been protected with
Winlogon Autostart) to maintain its hold on the system Enigma Protector to prevent analysis
III. DCRAT DEPLOYMENT • Use of SSL/TLS Certificates: DCRat, like many other
DCRat operates as a Malware-as-a-Service (MaaS). DCRat malware families, uses self-signed SSL/TLS
is deployed via first-stage attacks employing a wide array of certificates, which can help it blend in with normal
tactics, including malspam, phishing, spear-phishing, and encrypted traffic and evade detection
pirated (or “cracked”) commercial software such as rogue
updaters and anti-virus products.
 Read more: Boosty
V. DCRAT EFFECTIVENESS • The ability to record the victim's keystrokes, which can
DCRat is known for its cost-effectiveness, versatility, and be used to steal passwords and other sensitive
continuous updates, which make it a significant cybersecurity information
threat. DCRat allows threat actors to take control over an • The ability to collect information about the system (CPU
infected machine and steal sensitive information such as and GPU stats, etc.)
clipboard contents and personal credentials from apps. DCRat is
developed and maintained by a single user who actively markets B. Network IoC’s features
their product on several underground forums as well as a The most common indicators of compromise (IOCs) for
Telegram channel. This is unlike most other RATs, which are DCRat attacks relate to the following networks features:
typically the work of sophisticated and well-resourced cyber-
criminal groups. • Network Traffic: DCRat communicates with its
Command & Control (C2) server to exfiltrate data and
DCRat differs from other RATs in several ways. It can also receive commands. This communication can be
function as a loader, dropping other types of malware on the detected as unusual network traffic
infected computer. DCRat uses three distinct techniques for
persistence on the compromised host: creating a scheduled task, • Data Collection: DCRat collects sensitive information
creating a Registry Run Key, and creating a Winlogon Autostart from compromised hosts, such as server type,
Registry Key. It also uses the W32tm “stripchart” command as username, and GPU info, which can be detected by
a delay tactic for its execution and beaconing, which is not monitoring for unusual data access or movement
commonly used by other RATs.
• Persistence Mechanisms: DCRat uses several
In terms of effectiveness, DCRat is surprisingly effective techniques for persistence, including creating a
despite its low cost. The malware is under active development, scheduled task, creating a Registry Run Key, and
with new capabilities being added regularly. It is also capable of creating a Winlogon Autostart Registry Key. These
evading detection by security software, making it a potent entries can be detected by monitoring for changes in
cybersecurity threat. the system's scheduled tasks, registry, and startup
processes
The most common features of other remote access trojans
include the ability to establish complete to partial control over • DDoS Attacks: DCRat can orchestrate Distributed
infected computers, the capability to spawn a child process, and Denial of Service (DDoS) attacks against targeted
the use of the Task Scheduler to ensure persistence within the websites. This can be detected by monitoring for
compromised system. They can also exfiltrate sensitive unusual network traffic patterns or an increase in
information, establishing connections with command and requests to a specific website
control (C2) servers. Some RATs, like njRAT, operate on the
.NET framework and enable hackers to remotely control a • Dynamic Code Execution: DCRat has the ability to
victim's PC, giving them access to the webcam, keystrokes, and execute code in multiple programming languages. This
passwords stored in web browsers and desktop apps. can be detected by monitoring for unusual code
execution or process behavior
VI. DCRAT DETECTION
• Information Theft: DCRat can facilitate the theft of
A. Common IoC’s features sensitive data from victim devices, including capturing
The most common indicators of compromise (IOCs) for screenshots and harvesting credentials. This can be
DCRat attacks relate to the following features: detected by monitoring for unusual data access
• Monitoring the infected host by logging and exfiltrating • Crypto-Mining: Instances of DCRat deploying
keystrokes and screenshots crypto-mining software on victim endpoints have been
documented. This can be detected by monitoring for
• Stealing information from browsers, such as session unusual CPU usage or network traffic
cookies, auto-fill credentials, personal information, and
credit card details, including popular FTP applications