Cybersecurity researchers have disclosed a brand new malware marketing campaign that leverages a malware loader named PureCrypter to ship a commodity distant entry trojan (RAT) known as DarkVision RAT.
The exercise, noticed by Zscaler ThreatLabz in July 2024, includes a multi-stage course of to ship the RAT payload.
“DarkVision RAT communicates with its command-and-control (C2) server using a custom network protocol via sockets,” safety researcher Muhammed Irfan V A stated in an evaluation.
“DarkVision RAT supports a wide range of commands and plugins that enable additional capabilities such as keylogging, remote access, password theft, audio recording, and screen captures.”
PureCrypter, first publicly disclosed in 2022, is an off-the-shelf malware loader that is obtainable on the market on a subscription foundation, providing prospects the flexibility to distribute info stealers, RATs, and ransomware.
The precise preliminary entry vector used to ship PureCrypter and, by extension, DarkVision RAT isn’t precisely clear, though it paves the best way for a .NET executable that is chargeable for decrypting and launching the open-source Donut loader.
The Donut loader subsequently proceeds to launch PureCrypter, which finally unpacks and masses DarkVision, whereas additionally organising persistence and including the file paths and course of names utilized by the RAT to the Microsoft Defender Antivirus exclusions listing.
Persistence is achieved by organising scheduled duties utilizing the ITaskService COM interface, autorun keys, and making a batch script that comprises a command to execute the RAT executable and putting a shortcut to the batch script within the Home windows startup folder.
The RAT, which initially surfaced in 2020, is marketed on a clearnet website for as little as $60 for a one-time cost, providing a beautiful proposition for risk actors and aspiring cyber criminals with little technical know-how who want to mount their very own assaults.
Developed in C++ and meeting (aka ASM) for “optimal performance,” the RAT comes filled with an in depth set of options that permit for course of injection, distant shell, reverse proxy, clipboard manipulation, keylogging, screenshot seize, and cookie and password restoration from internet browsers, amongst others.
It is also designed to collect system info and obtain extra plugins despatched from a C2 server, augmenting its performance additional and granting the operators full management over the contaminated Home windows host.
“DarkVision RAT represents a potent and versatile tool for cybercriminals, offering a wide array of malicious capabilities, from keylogging and screen capture to password theft and remote execution,” Zscaler stated.
“This versatility, combined with its low cost and availability on hack forums and their website, has made DarkVision RAT increasingly popular among attackers.”
