Experts Sound Alarm on DCRat Backdoor Being Sold on Russian Hacking Forums
Written in .NET by an individual codenamed “boldenis44” and “crystalcoder,” DCRat is a full-featured backdoor whose functionalities can be further augmented by third-party plugins developed by affiliates using a dedicated integrated development environment (IDE) called DCRat Studio.
While a previous analysis by Mandiant traced the RAT’s infrastructure to files.dcrat[.]ru, the malware bundle is currently hosted on a different domain named crystalfiles[.]ru, indicating a shift in response to public disclosure. Besides its modular architecture and bespoke plugin framework, DCRat also encompasses an administrator component that’s engineered to stealthily trigger a kill switch, which allows the threat actor to remotely render the tool unusable. The admin utility, for its part, enables subscribers to sign in to an active command-and-control server, issue commands to infected endpoints, and submit bug reports, among others. Distribution vectors employed to infect hosts with DCRat include Cobalt Strike Beacons and a traffic direction system (TDS) called Prometheus, a subscription-based crimeware-as-a-service (CaaS) solution used to deliver a variety of payloads. The implant, in addition to gathering system metadata, supports surveillance, reconnaissance, information theft, and DDoS attack capabilities.
It can also capture screenshots, record keystrokes, and steal content from clipboard, Telegram, and web browsers.
Featured Resources
Subscribe to Our Blog
Subscribe now to get the latest insights, expert tips and updates on threat exposure validation.
Subscribe