Windows RDP Flaw Lets Users Log In With Expired Passwords — No Fix Yet
May 2, 2025Threat Actors Abuse Gmail SMTP in Sophisticated Python Package Attack
May 2, 2025Windows RDP Flaw Lets Users Log In With Expired Passwords — No Fix Yet
May 2, 2025Threat Actors Abuse Gmail SMTP in Sophisticated Python Package Attack
May 2, 2025Severity
High
Analysis Summary
DCRat, a Russian backdoor, was initially introduced in 2018 but rebuilt and relaunched a year later. The DCRat backdoor appears to be the product of a single threat actor who goes online with the pseudonyms of “boldenis44,” “crystalcoder,” and Кодер (“Coder”).
DCRat is one of the cheapest commercial RATs. For a two-month membership, the price starts at 500 RUB (less than 5 GBP/US $6), and it periodically drops even cheaper during special offers. This is written in .NET and features a modular structure, allowing affiliates to create their plugins using DCRat Studio, a dedicated integrated development environment (IDE).
The malware's modular architecture allows it to be extended for a variety of nefarious objectives, including surveillance, reconnaissance, data theft, DDoS attacks, and arbitrary code execution.
The DCRat consists of three parts:
- A stealer/client executable
- The command-and-control (C2) endpoint/ interface is a single PHP page
- An administrator tool
The malware is still in development, the author announces any news and updates through a dedicated Telegram channel with about 3k users updated with any news and changes.
To protect against the DarkCrystal RAT and similar threats, it is important to regularly update software and security patches, implement multi-factor authentication, be cautious when opening emails and attachments, and regularly back up important data. It is also important to run anti-virus software and to be aware of the signs of a RAT infection, such as unusual system activity or slow performance. If a system is suspected of being infected with the DarkCrystal RAT or any other RAT, it is important to take immediate action to isolate the system and to seek professional assistance in cleaning up the infection.
Impact
- Unauthorized Remote Access
- Keylogging
- Sensitive Information Theft
- Credential Theft
Indicators of Compromise
MD5
49ef5824dbf2e0a27f5bc04c2707bdf2
cb4b15b76f5b25471a3b364f8f9ff136
d80599214a240217bc5d22248ee09795
401494767929044f08c9874dea530521
c83d53d2380f0577a0efebbf919b4fc3
SHA-256
25d11882af4b8bcd0dfd14ef77394fa72ac29a91bfa3f1e2f3141a9cf3bf577e
74793488f23a075f3d4e966eeb3d523c152d6fde434a4712a2a700d3db7b65ac
4ebf3704d53e5b79ff032005c82d2c6d5b8e3565ed1886a21df29baa329b794d
c276ceae0dd93c204adc6b6942dce85c7da2bfc8f5ca885a42e539da1775c95e
339a5103eaa02f066811f3f75fa1ef6434263a682c5f8694bc197af0a02a8c93
SHA1
773e6ed53771033787804645c66252ee9389e462
4ce6874a1442dde6be6e0b10ae2bf3f12a07e517
444e3916969ccecfa9493073aaf08e41459a8c73
6272c583b9ff132ce691012500cab2dd208ba04f
0fc14c8bcecb365277b26c3017f5f1db22a055d3
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Emails from unknown senders should always be treated with caution.
- Never trust or open links and attachments received from unknown sources/senders.
- Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
- Patch and upgrade any platforms and software on time and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.