Key Points:
DCRat, a remote access Trojan (RAT) first released in 2018, has recently undergone a revamp. The malware gained notoriety as a readily accessible Trojan to a wide variety of threat actors, a factor that is probably responsible for its recent increase in usage in the wild.
While the DCRat malware is not a radical shift from other commodity RATs, it does include features that target the victim's social messaging accounts, specifically Telegram and Discord. SafeGuard Cyber’s Division 7 threat intelligence team has observed growth in these features within recent malware samples.
With the steady rise in messaging app use over the past several years, it makes sense that threat actors are shifting their targeting toward these accounts.
DCRat, also known as DarkCrystal RAT, is a readily available Trojan, purchasable on various dark web marketplaces at a low price. This malware was first seen in 2018, but has recently been redesigned and is now known to have a wide array of functions, including but not limited to, the theft of:
The DCRat malware also contains more common Trojan capabilities such as taking screenshots, stealing clipboard data, and keylogging functions.
A video detailing the functions of the remote access Trojan was created by the developer, while the source code for the RAT can be found at the developers’ GitHub page, but this information may be outdated.
The last known cost for the purchase of DCRat is $5 for a two month license, $21 for a year license, and $40 for a lifetime use license. The developer of the DCRat malware is known to be working alone in the development of this remote access Trojan and has been seen marketing the RAT on various underground forums, as noted by Blackberry.
One of the more dangerous aspects of DCRat is that it can be purchased by anyone and used to fit just about any campaign. It has been packaged with other malware samples and used in multiple different campaigns such as Snip3 Crypter and the Upwork attack in February of 2022 which was aimed at exploiting Discord tokens.
As previously mentioned: (1) The DCRat malware can steal credentials used to login to social media accounts, specifically Telegram and Discord, and (2) it can be easily packaged with other samples of malware and distributed by many different types of attacks.
With many organizations and end-users using social media platforms for communication, it would be quite easy to distribute the malware by means of social media communications. Moreover, the malware itself has the ability to steal the credentials of users that use these platforms.
To defend against DCRat and similar malware, it is important to practice proper guidelines to identify and report such attacks. With the SafeGuard Cyber platform, you can set up policies to sandbox and analyze files shared through channels like Telegram. In the screenshot below, the sample was detected by the SafeGuard Cyber platform. The message containing the malware was sent over Telegram.
SafeGuard Cyber detection of DarkCrystal RAT malware
Additionally, in case an account is ever compromised and an actor gains access to the victims message history, it is recommended that companies implement policies to never share credentials on Telegram, Slack, or any other third-party communications channel. SafeGuard Cyber can also be used to help alert to possible policy violations of this type so that the sensitive data can be removed.
While most malware has been seen distributed through email, it’s impossible to ignore the increased use of social media to distribute malware.
With many organizations and people using various social media and messaging platforms to communicate such as Telegram, Slack, and WhatsApp, there has been an uptick in attacks using and targeting these channels. Looking back at DCRat, it’s easier than ever to manipulate social media messages to lure unsuspecting victims into downloading malware and losing access to their accounts.
One notable example that our very own threat intelligence team observed is a malware payload identified as ‘Echelon’. This malware is a credential stealer that was posted in a crypto trading Telegram channel that SafeGuard Cyber monitors for our financial service customers in the crypto space. Based on what we’ve detected, the Echelon malware is targeting credentials, crypto wallets, and device details. Read the complete report here.
Another example of a communication channel being exploited is last year’s EA Games data breach. In this scenario, the attacker used a Slack authentication cookie that was sold on the dark web for $10 in order to gain access to the company’s Slack channel to gain access to the data that was then leaked. Another example of an attack is the Echelon malware that was sent through a public cryptocurrency channel on Telegram that targeted cryptocurrency wallets.
SafeGuard Cyber believes that malware like DCRat is part of a general trend toward increased targeting of the platform and its users. In the past couple of months we have seen multiple RATs that include modules that specifically target Telegram accounts. They include Prynt Stealer and the most recent version of Jester Stealer.
One of the aspects that leads attackers to distributing malware through social media platforms is that many social media platforms lack the same security controls that are centralized in corporate assets. Some channels have stronger security than others, but it is still simple for attackers to utilize these channels to find victims whether it be through phishing or simple distribution in public channels in hopes that an unsuspecting victim will download it and then run it on their machine. Moreover, if an attacker were to gain access to a channel with a victim's credentials, it would make it much easier to move laterally and gain access to critical data.
The SafeGuard Cyber platform can apply consistent event detection policies that can be applied across multiple communication applications, including collaboration tools, social media, and mobile chat.
Customers can enact policies, like the ones described above, to one channel, and then seamlessly apply them to any of the (number) communication applications that are protected by SafeGuard Cyber, allowing them to consolidate their security posture across several disparate channels within one solution. Businesses can request a demo to learn more on how we can protect their digital communication applications.
Businesses can work with SafeGuard Cyber to build out custom machine learning to detect and alert on social engineering attacks targeting their employees. Take SafeGuard Cyber's Security Tour to see first hand examples on how to prepare for and counteract remote access Trojans like DCRat.
If you are interested in learning more about the SafeGuard Cyber solution, you can take a quick 5-minute tour.