How DCRat (AKA Dark Crystal) Works

Update 05.27.22: An unknown APT group is targeting Russian government entities with at least four separate spear-phishing campaigns since the beginning of the Ukraine conflict. Source: Security Affairs.

In the murky underworld of Russian crimeware, DCRat seems to be a bit of a dark horse. Unlike the well-funded, massive Russian threat groups crafting custom malware to attack universities, hospitals, small businesses and more, this remote access Trojan (RAT) appears to be the work of a lone actor, offering a surprisingly effective homemade tool for opening backdoors on a budget. In fact, this threat actor’s commercial RAT sells at a fraction of the standard price such tools command on Russian underground forums.

DCRat (also known as DarkCrystal RAT) is a commercial Russian backdoor that was first released in 2018, before being redesigned and relaunched a year later. Notably, this threat appears to have been developed and maintained by a single person going by the pseudonyms of “boldenis44,” “crystalcoder,” and Кодер (“Coder”).

Sold predominantly on Russian underground forums, DCRat is one of the cheapest commercial RATs we’ve ever come across. The price for this backdoor starts at 500 RUB (less than 5 GBP/US$6) for a two-month subscription, and occasionally dips even lower during special promotions. No wonder it’s so popular with professional threat actors as well as script kiddies.

This price range is a curious feature, as it makes it seem like the author is not particularly profit-driven. It could be that they’re simply casting a wide net, trying to get a little money from a lot of maliciously minded people. It could also be that they have an alternative source of funding, or perhaps this is a passion project rather than their main source of income. 

Peering Deeper into the Dark Crystal

DCRat’s modular architecture and bespoke plugin framework make it a very flexible option, helpful for a range of nefarious uses. This includes surveillance, reconnaissance, information theft, DDoS attacks, as well as dynamic code execution in a variety of different languages.

The DCRat product itself consists of three components:

• A stealer/client executable
• A single PHP page, serving as the command-and-control (C2) endpoint/interface
  
• An administrator tool
  

The administrator tool is a standalone executable written in the JPHP programming language, an obscure implementation of PHP that runs on a Java virtual machine. As with the examples discussed in our previous whitepaper discussing exotic programming languages used by malware writers, JPHP offers some potential benefits for making mischief.

As a programming language, JPHP’s target audience is primarily entry-level developers who make cross-platform desktop games. The ease of use, as well as the portability of its code, suits this purpose well. The malware author may have chosen this format because it’s not particularly well-known, or they might have lacked programming skills in other, more mainstream languages.

According to the JPHP documentation, this implementation “compiles PHP sources to Java Virtual Machine (JVM) bytecode, which can then execute on the JVM.” The JPHP project also provides a dedicated, Russian-language integrated development environment (IDE) called DevelNext. This IDE was used to develop the DCRat administrator tool, as well as some of the early versions of the DCRat client.

Location data available in public GitHub profiles indicates the core contribution team behind JPHP are overwhelmingly based in the Commonwealth of Independent States (CIS), an intergovernmental organization made up of twelve post-Soviet countries. The DCRat author’s decision to use JPHP may have stemmed from either an assumed level of trustworthiness, or simply from a belief that obtaining support for issues or enhancements related to the JPHP framework would have been easier to establish due to their shared familiarity with the Russian language.

Examining the DCRat Build

The DCRat client binary – meant for delivering to victim’s machines – is written in .NET. Earlier versions were written in JPHP, like the administrator tool. This was likely done to streamline and optimize the client component. JPHP is rather slow, as it runs on the JVM. And the distributed malware is much smaller, since it doesn’t have to include all the JPHP libraries.

DCRat is built around a modular architecture that incorporates a plugin framework. Affiliates can generate their own client plugins, which can be downloaded and used by subscribers. (We’ve included a list of the current plugins in the “Plugins” section, later on in this blog.)

The RAT currently seems to be under active development. The administrator tool and the backdoor/client are regularly updated with bug fixes and new features; the same applies to officially released plugins.

During recent months, we’ve often seen DCRat clients being deployed with the use of Cobalt Strike beacons through the Prometheus TDS (traffic direction system). Prometheus is a subscription-based malware service that has been used in many high-profile attacks, including campaigns against U.S. government institutions in 2021.

A detailed analysis of the DCRat client was published by Mandiant in May 2020. Just days after this report was released, the malware author shifted distribution of the RAT to a new domain. It’s clear that cybercriminals are becoming more aware of publicity from media and the security community, and they’re getting used to making swift changes in response to this unwanted exposure.

It’s worth noting that there is a second open-source RAT that also goes by the name DcRAT, which can be found in GitHub repository of user “qwqdanchun.” This is most likely a completely unrelated project. While it doesn’t bear many code similarities to DCRat, it may have been an inspiration for – or inspired by – the threat.

DCRat Offering

The DCRat bundle, its plugins, plugin development framework, and additional tools are currently hosted on crystalfiles[.]ru. These components have been moved there from their previous location at dcrat[.]ru. The crystalfiles website features a simple interface, as seen in Figure 1 below, and it serves only as the download point for the RAT. It has no additional information or resources for potential or existing clients.

It’s possible that the RAT is also sold on other restricted-access forums or on the dark web. The DCRat archives have been spotted on other URLs, and they’ve been shared through Discord instant messaging. The most common file name for distribution, across different versions of the RAT, seems to be “1ac770ea1c2b508fb3f74de6e65bc9c4.zip.”

All news and updates for DCRat are announced through a dedicated Telegram channel, as seen in Figures 3 and 4 below. At the time of writing, the channel had almost 3k subscribers.

Besides the DarkCrystalRAT Telegram account, there are also two Telegram bots: one for processing sales requests (“DCRatSeller_bot”), and one for technical support (“CrystalSupport_bot”).

The latest prices for DCRat licenses (excluding any temporary discounts) are: 

• 500 RUB / US$5 for two-month license
• 2200 RUB / US$21 for a year
  
• 4200 RUB / US$40 for a lifetime license
  

The Author

While the DCRat developer posts as Кодер ("Coder") on the lolz[.]guru forum (as shown in Figure 5), their Telegram handle is “@boldenis” and their GitHub username is “boldenis44” (based on a resource link buried in the DCRat source code shown in Figure 6). They must have used the latter name on lolz[.]guru at some point, as some users still refer to them as such. They list their email address as crystalcoder[at]exploit[.]im. The date of birth and address listed on their profile shown in Figure 5 below are most likely fake.

The lolz[.]guru forum profile indicates the developer is Russian and works alone.

The description in Russian translates roughly to “I steal data, I work on ru, uk and what?” It’s not entirely clear what this means, though it’s likely they’re bragging about stealing data from Russia, the UK, and possibly other countries.

The photo in this profile comes from a 2014 German hacker movie called “Who Am I: No System is Safe.” This photo has recently been changed – the cached version of this website shows an image (see Figure 9) that is a relatively popular depiction of a hacker, and the Russian sentence that somewhat cryptically translates to: “I drive SS into Dark.”

This is most likely a coincidence, as the njRAT profile is written by someone who speaks Arabic, not Russian.

There was another profile on the VKontakte site that has been spotted mentioning the crystalfiles[.]ru URL, as shown in Figure 11, which was for Rodion Balkanov (Родион Балканов): https[:]//vk[.]com/bagyuvix. However, this account has since been removed and is no longer available.

The Timeline

Although the DCRat project appears to have started several months in advance, a larger scale marketing campaign took place in September 2019, when the Telegram channel was created and the dcrat[.]ru domain registered. Shortly after this, the RAT got significantly redesigned to support plugins in a bespoke format.

The next major release came in May 2020 (version 3.0), followed by version 4.0 in March 2021. In between major releases, the RAT got smaller updates and bug fixes on a very regular basis, hinting that the author was highly engaged with his creation during this timeframe, as shown below.

• July 31, 2018 –  Кодер ("Coder") profile created on lolz[.]guru forum
• Sept. 1, 2019 – Telegram channel called DarkCrystalRat created
• Sept. 2, 2019 – dcrat[.]ru registered (see Figure 12)
  

• Sept. 4, 2019 – Introduction of a bespoke plugin format: DCLIB
• Nov. 19, 2019 – Redesign of the administrator tool
  
• May 12, 2020 – Mandiant publishes analysis of DCRat client
  
• May 27, 2020 – crystalfiles[.]ru registered; distribution shifts to the new domain
  

• May 30, 2020 – Version 3.0 released
• Oct. 2020 – Release of DCRat Studio, a bespoke platform that allows third-party developers to design plugins
  
• March 18, 2021 – Version 4.0 released
  
• Dec. 31, 2021 – Limited-time 50% discount on all types of licenses, as a New Year’s Eve deal
  
• March 6, 2022 – Due to devaluation of ruble, pricing changed from rubles to dollars at an exchange rate of US$1 = 100 RUB
  
• March 28, 2022 – Limited-time price discount for two-month, one-year, and lifetime licenses to $5, $19, and $39, respectively.
  

New plugins and minor updates are announced almost every day. 

The RAT Administrator Tool

The malware author chose to develop the RAT’s administration tool in JPHP using a niche Russian IDE called DevelNext. DevelNext compiles the PHP program into a Java bytecode, which can then be executed on the JVM. 

According to its GitHub page, the IDE is still in the beta stage, and it’s only available in the Russian language at this point. In the past, we’ve seen very few malware samples written in JPHP, because the executables it produces are both exceptionally large and slow to run. 

One example of malware using this IDE is a rudimentary backdoor called IceRAT, discovered in early 2020. This malware targeted Russian-speaking victims by installing crypto-mining software on their endpoints. An older example is one that was written for OSX as part of a campaign targeting Jaxx cryptocurrency wallets, which was discovered in 2018.

Contents of the Archive

The administrator tool comes as a ZIP archive with the following structure:

PHB file format

Instead of Java class files, the JPHP JAR archives are composed mainly of PHB files.

PHB is a custom file format used exclusively by JPHP. PHB files are simply archives that contain uncompressed, unencrypted Java class files and a PHB header. Each Java class file is preceded by a class file header, containing information such as module name, method names, PHP file path, and the class file length.

Class files can be extracted with the following Python script, then decompiled using tools such as JAD or jd-gui.

PHB file structure (example):

Licensing

The DCRat administrator tool, shown below in Figure 14, prevents unauthorized use through a series of online license checks. Once these checks succeed, the administrator interface becomes available.
 

The checks consist of HTTPS queries to the hardcoded domain dcrat[.]ru.

Peer Validation

The first validation check transmits a random 64-character value, hashed and Base64-encoded prior to transmission. The response from the C2 server must contain the same value, and it must be similarly hashed and encoded to be considered valid. This exchange provides rudimentary peer validation, ensuring the administrator tool is communicating with a genuine DCRat license server.

Subscriber Validation

A second HTTPS request authenticates the computer on which the administrator tool is running, as shown in Figure 15. A handful of host properties are collected to generate a unique fingerprint. This is transmitted to dcrat[.]ru and will (presumably) match against a valid subscriber entry.

Kill Switch

The administrator tool also performs an unusual final HTTPS check to a public resource hosted on GitHub, under the personal space of “boldenis44.” The query and response functions have a global “kill switch,” as shown in Figure 16. At the DCRat author’s discretion, flipping this switch would render all instances of the DCRat administrator tool unusable, irrespective of subscriber license validity (so much for that “lifetime license”!).
 

This kill switch feature was found in separate administrator tool builds dated mid-2021 and early 2022.

Administrator Functions

The administrator tool allows a subscriber to take the following actions:

•  Login to an active C2 server
•  Issue Tasks to registered client installations
•  Generate builds of the Loader and/or Client
•  View and query installation statistics
•  Submit bug reports to the DCRat author 

Login needs to be performed to an active C2 server hosting the backend PHP, as shown in Figure 17.

Login parameters follow an obscure syntax:

• http://<server>/@<reversed_base64_PHP_pagename_minus_php_suffix>
• password
  

Fake News?

For reasons that are not entirely clear, the DCRat author implemented a function that displays a randomly generated number of “Servers working” and “Users online” that are meant to appear as statistics in the background of the administrator tool. It could be that they are trying to make their tool appear more popular, or that they just didn’t know how to implement an accurate counter and have employed a pseudo-counter in the meantime as a placeholder.

Admin Functions

Following authentication, the administrator tool begins polling the C2 for details of connected and infected hosts.

Functions are grouped using tabs, as shown in Figure 18:

Users 

This tab lists the active/registered installations of DCRat client running on infected hosts. The list is updated using a periodic poll to the C2.

Builder

This tab is where the threat actor can configure (and generate) builds of the DCRat client executable. In the analyzed version of the administrator tool, the “core” of the client is downloaded from the dcrat[.]ru domain as a Base64 string, becoming input for “DCRCC.exe.”

These are the available parameters for configuration: 

• Network: 
  • Specifies a list of primary and secondary C2 hosts (transport protocols are limited to HTTP/S). 
    
• Protect: (shown in Figure 19)
  
  • Optional obfuscation of generated client binaries using .NET Reactor
    
  • Mutex name to use during execution – by default it’s a random 20-character alphanumeric string preceded by DCR_MUTEX prefix
    
  • DCR_MUTEX-<20_ALPHANUM_RAND>
    
  • Disable Windows Task Manager via Registry entry (see IoC)
    
  • Specify (spoof) PE creation time stamp
    
  • Launch delay in seconds
    
• Plugins: 
  
  • Configure and enable DCRat plugins
    
• Installation: 
  
  • Path for unpacking modules when DCRat client runs
    
  • Persistence mechanism to use
    
  • First start command script to use
    
  • Tag value to appear on hosts running DCRat build (i.e., campaign ID) 
    
  • Auto functions – functions to start automatically after launch:
    
    • Stealer 
      
    • Keylogger 
      
    • Uninstall (auto-delete)
      
  • Force Admin – try to force admin rights on launch 
    
  • Build Cache Storage
    
• Build:
  
  • Optional UPX compression of the build 
    
  • File extension to use
    
  • PE file icon

Loader 

Configure and build a DCRat loader binary. Support is provided for a range of stackable “Actions” combining to determine runtime behavior:

• Download file
• Execute file
  
• HTTP request
  
• CMD Script
  
• Wait
  
• Message Box

Tools 

Provides file upload and Netscape to JSON cookie converter.

Settings 

Configure Builder settings: 

• Change GUI background image
• Automatically poll C2 for connected (infected) hosts/installs
  
• Show notifications

Statistics 

Canned reports to query DCRat client installations (country, Windows version, etc.) 

USER-ID 

We cannot confirm at present what this function is for. It’s possible that this is a direct remote control/terminal client to an infected host.  

Bug Report 

Submit bug report to DCRat maintainer(s). 

Tasks

Configure Tasks to be executed on one or more DCRat clients. Tasks can be Saved (exported) or Loaded (imported) from text file. Tasks are stored as a reversed Base64 string. 

Global Functions 

Configure Tasks to be performed on all registered DCRat clients. 

DCRat Client

In this section we review the features of the DCRat client (stealer) and the DCRat Loader. Runtime behavior for both is configured using the DCRat administrator tool.

Client Loader

The administrator tool provides a function to generate a DCRat “Loader” executable. In the version we analyzed, generation of a loader in DLL format was not supported. It’s conceivable the author could add this support in newer builds.

The behavior of the Loader when executed is configured via one or more canned “Actions,” as shown in Figure 20. A typical build might be a combination of “Download File,” “Wait” and “Execute File,” which would silently pull down a file and then run it after waiting long enough to avoid arousing suspicion.

The source code for the Loader is embedded within the administrator tool as a series of Base64 strings that decode to reveal C# source code. Code for the executable is selected based on the Actions chosen by the user. The bundled “DCRCC.exe” generates the executable.

If selected, the generated executable will be protected using DotNET Reactor:

“-control_flow_obfuscation 1 -flow_level 9 -resourceencryption 1 -stringencryption 1 -suppressildasm 0 -all_params 1 -obfuscate_public_types 1 -exception_handling 0”

Persistence

Persistence for DCRat is limited to common Windows "autorun” locations:

1. Registry, using HKLM\Software\Microsoft\Windows\CurrentVersion\Run
2. Registry, using HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   
3. Registry, using HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon (REG_SZ: “Shell”)
4. Scheduled Task /ONLOGON 
5. Scheduled Task /sc minute RandomMinMax(5,15) 
   

The client executable copies itself to the System drive root (e.g., C:\) using the name of a randomly chosen running process, excluding “svchost.exe.”

Config

DCRat’s config is embedded in the client binary as a Base64-encoded string resource. It has a JSON format and contains C2 URLs, a tag, a mutex name and a few execution options, as well as plugin-specific configuration options for included plugins.

Host Fingerprint

As part of initial registration, the DCRat client reports a range of host attributes to its C2. This information is determined using a combination of WMI, .NET-provided instrumentation classes, and Windows registry queries:

• Host computer name
• Host username 
• Windows product/version 
• Tag value (embedded; campaign id) 
  
• Is Administrator 
  
• Video card name(s) 
• CPU Product/Vendor
• Local, network, removable drive labels
  
• Has microphone 
  
• Installed webcam(s) 
• Active Window text 
• Country, City, Lat/Long (geoip)
• Antivirus product(s) installed 
• Firewall product(s) installed 
• BIOS manufacturer 
• Motherboard manufacturer 
  
• CPU Vendor 
  
• Physical memory 
• Network interfaces (IP, WiFi/Ethernet) 
• .Net version installed
  

Stealer Functionality

The Stealer functions of DCRat are pre-configured using the administrator tool “Builder.” Stealer “Tasks” define the sequence of operations carried out during theft of stored information: 

DCRat can steal from the following sources (including those pictured in Figure 22):

• Browser cookies
• Browser stored passwords 
• Browser stored form content 
  
• Browser history 
  
• Stored credit cards (via Windows DPAPI & Chrome SQLite Database)
• Telegram 
  
• Steam account
  
• Discord tokens 
  
• FileZilla credentials
  
• Screenshots 
  
• Keylogger
  
• Clipboard contents
  
• Sysinfo
  

The Stealer component is also capable of running bespoke plugins, making it extensible to accommodate information malware authors find on specific targets.

Denial of Service

The DCRat Stealer contains primitive, multi-threaded code to perform different forms of DOS attacks – including HTTP(S) POST, UDP and TCP – to a specific host and endpoint combination. 

Delay Tactics

Common to many malware families, DCRat employs the use of Windows command line tools to perform execution delays. Associated with the execution of DCRat client are invocations of the Windows command line tool for time service configuration, w32tm. When configured with suitable command line arguments, as shown in Figure 23, it can act as a delay mechanism. In the case of DCRat, arguments are passed that act as 10 second delays. Coincident instances of w32tm in endpoint XDR could be a possible, albeit somewhat weak, signal of DCRat client execution:

Plugins

Plugins can be designed by third-party developers with the use of a dedicated IDE called DCRat Studio. Official plugins are available to download from crystalfiles[.]ru (as shown in Figure 24) and their functionality includes data exfiltration/credential stealing, system manipulation, and cryptocurrency mining.

To harness the power of crowd-sourced development and to encourage an ecosystem of plugins that target different information stores, DCRat subscribers have access to a list of supported third-party plugins. The precise inner workings of each plugin are unknown, but the name of each does provide an indicator of function:

• AutoKeylogger (deprecated)
• AntiVM (merged with AntiAnalysis)
  
• MiscInfoGrabber 
  
• WebBrowserPassView
  
• RunOnce
  
• DesktopGrabber
  
• StartupPlus
  
• AntiKiller
  
• AntiSNG
  
• BlockInput
  
• MessageOnStart 
  
• ClipboardLogger
  
• RegEditor
  
• FileSearcher
  
• FileGrabber 
  
• TitleKiller (deprecated)
  
• ProcessKiller
  
• CryptoStealer
  
• TelegramNotifier 
  
• AntiAnalysis
  
• Clipper
  
• CountryBlackList
  
• VPNGrabber 
  
• ForceAdmin
  
• SystemRestorePointsCleaner
  
• UserPingCounter
  
• ActiveWindowNotifier
  
• FakeSteamWindows
  
• Discord notifications (third party)
  
• IgnorTags (third party)
  
• Kryptex Miner (third party)
  
• XMRig (third party)
  

Conclusions

The biggest, flashiest threat groups might get their name in lights, but they aren’t necessarily the cybercriminals that keep security practitioners up at night. The scary, cutting-edge threats that come out of those advanced and well-funded threat groups do occasionally cause headaches for those of us who aren't guarding state secrets or ridiculous amounts of money. But miscreants with too much time on their hands can often cause just as much hassle.

Generally speaking, you get what you pay for, even in malware. If you pay a pittance for something, you would be wise to expect it to be less functional or poorly supported. But DCRat seems to break that rule in a way that’s deeply perplexing. 

This RAT’s code is being improved and maintained daily. If the threat is being developed and sustained by just one person, it appears that it’s a project they are working on full-time.

There are certainly programming choices in this threat that point to this being a novice malware author who hasn’t yet figured out an appropriate pricing structure. Choosing to program the threat in JPHP and adding a bizarrely non-functional infection counter certainly point in this direction. It could be that this threat is from an author trying to gain notoriety, doing the best with the knowledge they have to make something popular as quickly as possible.

While the author’s apparent inexperience might make this malicious tool seem less appealing, some could view it as an opportunity. More experienced threat actors might see this inexperience as a selling point, as the author seems to be putting in a lot of time and effort to please their customers.