Lonely Russian RAT operator competes with big gangs with £5 ‘passion project’

A lone Russian cybercriminal is achieving similar levels of success to massive organized cybercriminal groups by selling a custom commercial remote access Trojan (RAT) for pennies.

Searching for the lone actor since 2018, the BlackBerry ThreatVector team revealed that this individual appears to have built and maintained the DarkCrystal RAT (DCRat) on his own. They operate under the known aliases boldenis44, crystalcoder and Кодер (“Coder”).

DCRat is mainly sold on underground Russian forums, and the researchers note that due to the tool’s extremely low price – £5 for a two-month subscription, a fraction of the price of commercial rivals – that it could to act out of a simple “passion”. project” for the actor.

“Unlike the massive, well-funded Russian threat groups that create custom malware to attack universities, hospitals, small businesses and more, this RAT appears to be the work of a lone actor, offering a surprisingly homemade tool effective at opening backdoors on a budget,” BlackBerry ThreatVector said in a blog post.

Considering the price of DCRat, which is one of the cheapest commercial RATs ever encountered, the tool has proven popular with professional threat actors as well as inexperienced “script kiddies”.

The researchers also noted that DCRat appears to be under active development. New features and bug fixes are regularly pushed to the admin tool, which is one of three key components, joining a thief/client executable and a single PHP page serving as a C2 endpoint.

Among the RAT’s core capabilities were surveillance, reconnaissance, information theft, DDoS attacks, and code execution.

“Niche” development

Coder’s choice of language was central to the BlackBerry ThreatVector report since its administration tool was written in JPHP – an “obscure” implementation of PHP that runs on a Java virtual machine (VM).

The researchers said the threat actor could have used the unpopular language as a way to evade detection, or he simply lacked expertise in more modern settings.

JPHP is primarily used to create cross-platform desktop games, and its cross-platform nature lends itself well to malware.

Other sectors of the cybersecurity industry have noted an increase in the number of malicious actors using Google’s cross-platform Go language to craft ransomware for maximum impact.

Coder also used a “niche” Russian integrated development environment (IDE) to write the RAT. Its GitHub page says the IDE is still in beta development, but has been used to create a small number of other malware strains over the years.

The researchers also noted that the choice of language used, coupled with a “weirdly non-functional” infection counter built into the RAT’s user interface, which displays inaccurate data to make it more popular, indicates a novice actor.

“Although the author’s apparent inexperience may make this malicious tool less appealing, some might view it as an opportunity,” the researchers said. “More experienced threat actors might see this inexperience as a selling point, as the perpetrator seems to put a lot of time and effort into pleasing his clients.”

Marketing and distribution

The RAT is officially hosted only on the lolz[.]Russian hacking forum guru, the researchers said, where there is a dedicated section of the site for DCRat, including support topics for registered users only. Pre-sales queries are also handled on the forum.

Like many malware strains, the distribution is also common on Discord and Telegram channels. The RAT also has a dedicated Telegram channel, with over 2,000 subscribers keeping up to date with new releases and general news related to the tool.

The researchers also spotted two dedicated Telegram bots designed to handle RAT sales – one for sales processing and another for technical support.

Coder occasionally offers limited-time discounts for DCRat, but beyond the £5 two-month license, other prices are £17 for a one-year license and around £32 for lifetime access .

Featured Resources

How to Run More Productive Meetings

Tips and tricks to get the most out of your meetings

Free download

Enable the future of work with integrated, real-time communication

A new dimension of human interaction is coming to digital work

Free download

How to do a hybrid job well

Overcoming the Challenges of Transitioning to Hybrid Working

look now

HPE HCI 2.0: How it can help your business thrive

Why SMBs Need to Accelerate Digital Transformation with HCI

Free download