Cybersecurity researchers have uncovered a new malware campaign that uses a malware downloader called PureCrypter to deliver a remote access trojan (RAT) called DarkVision RAT.
The activity observed by ThreatLabz’s Zscaler in July 2024 involves a multi-step process to deliver the RAT payload.
“DarkVision RAT communicates with its command and control server (C2) using a custom network protocol over sockets,” security researcher Muhammad Irfan VA. said in the analysis.
“DarkVision RAT supports a wide range of commands and plugins that provide additional capabilities such as keyboard, remote access, password theft, audio recording, and screen capture.”
PureCrypter, publicly disclosed for the first time in 2022 is a ready-made, subscription-based malware downloader that offers customers the ability to distribute information stealers, RATs, and ransomware.
The exact initial access vector used to deliver PureCrypter, and by extension the DarkVision RAT, is not entirely clear, although it paves the way for a .NET executable responsible for decryption and open-source execution Donut loader.
The Donut downloader then runs PureCrypter, which eventually unpacks and loads DarkVision, while configuring security and adding file paths and process names used by the RAT to Microsoft Defender Antivirus list of exceptions.
Resilience is achieved by configuring scheduled tasks using the ITaskService COM interface, autorun keys, and creating a batch script that contains a command to execute the RAT executable and place the batch script shortcut in the Windows startup folder.
RAT, which originally surfaced in 2020 is advertised on the Clearnet website for just $60 for a one-time payment, offering an attractive proposition for threat actors and novice cybercriminals with little technical knowledge who want to launch their own attacks.
Developed in C++ and assembly (aka ASM) for “optimal performance”, RAT comes with a wide range of features that allow for process injection, remote shell, reverse proxy, clipboard manipulation, keylogging, screenshot capture, as well as cookies and password recovery from web browsers, among other things.
It is also designed to gather system information and retrieve additional plugins sent from the C2 server, further expanding its functionality and giving operators full control over an infected Windows host.
“DarkVision RAT is a powerful and versatile cybercriminal tool that offers a wide range of malicious capabilities, from keylogging and screen capture to password theft and remote execution,” said Zscaler.
“This versatility, combined with its low cost and availability on hacker forums and their websites, has made the DarkVision RAT increasingly popular among attackers.”
