Threat Research

DCRat | Malware Trends Tracker

Securonix

Dark Crystal RAT (DCRat) is a modular remote access Trojan active since 2018, known for stealthy data theft and ongoing feature updates. It includes a DCRat Studio for developing new modules, a low-cost model, and multiple distribution methods such as phishing and fake downloads, with capabilities ranging from keylogging to browser data exfiltration and account hijacking. #DCRat #DarkCrystalRAT #DCRatStudio #Vidar #njRAT #QuasarRAT

Keypoints

  • DCRat is a modular RAT in operation since 2018, designed to steal data (keystrokes, clipboard contents, browser data) and support additional modules.
  • A dedicated DCRat Studio allows attackers to develop new modules; the malware has a notably low price compared to other malware-as-a-service offerings.
  • The toolkit includes evasion/obfuscation (Enigma Protector) and polymorphic builder capabilities to hinder detection.

MITRE Techniques

  • [T1056] Input Capture – “DCRat can record the victim’s keystrokes, which can be used to steal passwords and other sensitive information.”
  • [T1115] Clipboard Data – “transmit the contents of the victim’s clipboard to its command-and-control server (C&C).”
  • [T1555.003] Credentials in Web Browsers – “exfiltrate information from browsers, such as session cookies, auto-fill credentials, and credit card details.”
  • [T1105] Ingress Tool Transfer – “DCRat can function as a loader, dropping other types of malware on the infected computer.”
  • [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys/Startup Folder – “copy itself… to the Startup folder… add registry values that point to these shortcuts… start automatically when the computer boots up.”
  • [T1027] Obfuscated/Compressed Files or Information – “payload can be obfuscated with Enigma Protector.”
  • [T1047] Windows Management Instrumentation – “WMI queries to detect a virtualized environment or to gain persistence in the system.”
  • [T1055] Process Injection – “it prefers to create large process trees and then infiltrate a harmless process at some point to detonate later.”

Indicators of Compromise

  • [IOC Type] No explicit IOCs mentioned – none provided in article

Read more: https://any.run/malware-trends/dcrat