DCRat backdoor returns

[harlan4096]

Since the beginning of the year, we’ve been tracking in our telemetry a new wave of DCRat distribution, with paid access to the backdoor provided under the Malware-as-a-Service (MaaS) model. The cybercriminal group behind it also offers support for the malware and infrastructure setup for hosting the C2 servers.

Distribution

The DCRat backdoor is distributed through the YouTube platform. Attackers create fake accounts or use stolen ones, then upload videos advertising cheats, cracks, gaming bots and similar software. In the video description is a download link to the product supposedly being advertised. The link points to a legitimate file-sharing service where a password-protected archive awaits, the password for which is also in the video description.


YouTube video ad for a cheat and crack

Instead of gaming software, these archives contain the DCRat Trojan, along with various junk files and folders to distract the victim’s attention.

Archives with DCRat disguised as a cheat and crack

Backdoor

The distributed backdoor belongs to a family of remote access Trojans (RATs) dubbed Dark Crystal RAT (DCRat for short), known since 2018. Besides backdoor capability, the Trojan can load extra modules to boost its functionality. Throughout the backdoor’s existence, we have obtained and analyzed 34 different plugins, the most dangerous functions of which are keystroke logging, webcam access, file grabbing and password exfiltration.

Continue Reading...