Threat Research

“Efficient Technical Analysis of DarkVision RAT”

ZScaler

DarkVision RAT is a modular remote access trojan delivered via a multi-stage chain (a .NET dropper → Donut loader → PureCrypter → DarkVision RAT) that uses AES/3DES encryption, in-memory loading, process injection, and a custom socket-based C2 protocol to provide keylogging, screen/webcam/audio capture, remote access (VNC/hVNC), and extensive persistence/evasion. The campaign observed in July 2024 showed PureCrypter adding Windows Defender exclusions and writing the RAT to %APPDATA% for persistence. #DarkVisionRAT #PureCrypter #Donut #ZscalerThreatLabz

Keypoints

  • Campaign uses a four-stage loader chain: protected .NET first stage, Donut shellcode loader, PureCrypter .NET injector, then DarkVision RAT payload.
  • First stage decrypts shellcode with 3DES (Base64 key/IV), maps it to executable memory (VirtualAlloc/VirtualProtect), and executes via an API callback.
  • PureCrypter embeds an AES-CBC encrypted DarkVision PE inside a protobuf structure, writes %APPDATA% Sighul/Sighul.exe, and adds Windows Defender exclusions via Base64 PowerShell commands.
  • DarkVision dynamically resolves APIs, uses XOR-encoded strings, parses GUID-based command-line args, and establishes persistence via Startup folder, Run autorun keys, or Task Scheduler (ITaskService).
  • Process injection uses NtCreateSection/NtMapViewOfSection to map code into remote processes; plugins are compressed (LZNT1), encrypted with Salsa20, and loaded into memory.
  • C2 uses a custom binary socket protocol (example C2: severdops.ddns[.]net:8120), registers with a Bot ID (GUID + MD5 of “P@55w0rd!”), exchanges ACK packets, and sends two fingerprint structures before issuing commands.
  • RAT supports many opcodes and plugin capabilities (file operations, process/listing, keylogging, password/cookie theft, mic/webcam/screen capture, VNC/hVNC remote control, plugin management).

MITRE Techniques

  • [T1053.005] Scheduled Task – DarkVision RAT uses the ITaskService COM interface to create scheduled tasks (‘DarkVision RAT uses ITaskService interface to create scheduled tasks.’)
  • [T1547.001] Registry Run Keys / Startup Folder – RAT adds autorun registry entries and can place shortcuts in the Startup folder for persistence (‘DarkVision RAT uses autorun keys and the startup folder for persistence.’)
  • [T1055] Process Injection – Uses NtCreateSection and NtMapViewOfSection to inject code into remote processes (‘DarkVision RAT uses the NtCreateSection and NtMapViewOfSection APIs to perform process injection.’)
  • [T1140] Deobfuscate/Decode Files or Information – Strings and APIs are stored XOR-encoded and decoded at runtime (‘The strings used in DarkVision RAT are XOR encoded.’)
  • [T1562.001] Disable or Modify Tools – PureCrypter and DarkVision add Windows Defender exclusions via PowerShell (‘DarkVision RAT and PureCrypter have functionalities to add Windows Defender exclusions.’)
  • [T1539] Steal Web Session Cookie – Password stealer plugin extracts browser cookies and credentials (‘Password stealer plugin steals cookies from browsers.’)
  • [T1010] Application Window Discovery – Windows-list plugin enumerates and manages application windows (‘Windows list plugin lists and manages windows in the system.’)
  • [T1057] Process Discovery – Plugins enumerate processes and can terminate or dump them (‘Multiple plugins retrieve the process list.’)
  • [T1082] System Information Discovery – RAT collects system details and sends fingerprint structures to C2 (‘DarkVision RAT collects system information and sends it to the C2 server.’)
  • [T1083] File and Directory Discovery – File Explorer plugin performs file/directory enumeration (‘File Explorer plugin performs file and directory discovery.’)
  • [T1123] Audio Capture – Microphone capture plugin records audio (‘Microphone capture plugin performs audio capture.’)
  • [T1125] Video Capture – Webcam capture plugin records video (‘Webcam capture plugin performs video capture.’)
  • [T1113] Screen Capture – Screen capture plugin captures screenshots (‘Screen capture plugin performs screen capture.’)
  • [T1056.001] Input Capture: Keylogging – Supports live and offline keylogging plugins (‘DarkVision RAT supports live and offline keylogging.’)
  • [T1219] Remote Access Software – Provides remote access via VNC and hVNC plugins (‘DarkVision RAT uses VNC and hVNC for remote access.’)
  • [T1571] Non-Standard Port – C2 communications occur over non-standard ports (example: port 8120) (‘C2 communications are through a non-standard port.’)
  • [T1529] System Shutdown/Reboot – System control plugin can shut down or reboot the infected host (‘System control plugin performs system shutdown/reboot.’)

Indicators of Compromise

  • [SHA256] Host-stage/sample hashes – cd64122c8ee24eaf02e6161d7b74dbe79268f3b7ffb7a8b0691a61ff409f231d, 7aa49795bbe025328e0aa5d76e46341a95255e13123306311671678fdeabb617, and 2 more hashes
  • [URL] First-stage host – nasyiahgamping[.]com/yknoahdrv.exe (hosts the initial dropper)
  • [Domain:Port] C2 server – severdops.ddns[.]net:8120 (embedded C2 address observed in sample)
  • [File Names / Paths] Dropped/persistent file names – yknoahdrv.exe, %APPDATA%Sighul.exe, %APPDATA%photosSystem.exe (used for persistence and execution)

The attack chain and technical procedure condensed:
The infection begins with a protected .NET dropper that waits (cmd /c timeout 10), decodes Base64-encoded 3DES key and IV, decrypts shellcode, allocates executable memory (VirtualAlloc/VirtualProtect), and executes the shellcode via an API callback. That shellcode is a Donut x86 loader which decrypts and loads a .NET assembly into memory; Donut uses Chaskey for its module encryption. Analysts extracted the next-stage .NET assembly (PureCrypter) which decompresses and deserializes a protobuf structure; one protobuf field contains an AES-CBC-encrypted DarkVision PE that PureCrypter writes to disk (%APPDATA%Sighul.exe) and configures startup settings. PureCrypter also runs a Base64-encoded PowerShell to add Windows Defender exclusions and injects the decrypted RAT into the current process.

DarkVision RAT initialization decodes XOR-encoded API names (XOR key [19 72 19 72]), reloads libraries to bypass userland hooks, and parses GUID-based command-line arguments used for registry/folder names. Persistence options are configurable in the binary and include placing a batch + shortcut in the Startup folder, adding autorun Run keys under HKCU/HKLMSoftwareMicrosoftWindowsCurrentVersionRun, or creating a scheduled task via the ITaskService COM interface. The RAT ensures it runs from a specific %APPDATA% path (e.g., %APPDATA%photosSystem.exe), creates a plugin parent folder in C:ProgramData, and stores encrypted plugins on disk/registry while keeping plaintext only in memory.

For runtime capabilities and C2, DarkVision uses NtCreateSection/NtMapViewOfSection-based process injection to map and execute functions inside remote processes, and implements a custom binary socket protocol to connect to C2 (either fetched via WinHTTP from a URL or hardcoded like severdops.ddns[.]net:8120). It registers using a Bot ID (random GUID + MD5 of “P@55w0rd!”), exchanges ACK packets (e.g., {01 00 00 00}), sends two fingerprint structures (FINGERPRINT_INFO1 and FINGERPRINT_INFO2) and then waits for opcodes. Supported opcodes include writing the RAT from registry to disk (0x2BD/0x2BE), fetching and executing files (0x2BF/0x2C3), deleting artifacts (0x2C0), DLL hijacking for elevation (0x2C2), and a plugin system (0x519–0x51D) where plugins are LZNT1-compressed, Salsa20-encrypted (hardcoded key/nonce), and provide webcam, screen, audio capture, keylogging, password/cookie theft, VNC/hVNC remote access, file system access, process listing/dumping, and more.

Read more: https://www.zscaler.com/blogs/security-research/technical-analysis-darkvision-rat

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint