A bargain-basement, $5 price tag on a 3-year-old remote access Trojan (RAT) has concerned some security researchers, who see the move as signs of a possible race to the bottom in terms of pricing — or that new, disrupting developers are entering the cybercriminal market.
According to an analysis of the malware by software and security firm BlackBerry, an extremely low-cost variant of the malware known as the Dark Crystal RAT (aka DCRat) appears to be the brainchild of a sole Russian developer. The creator wrote the code in the popular C#, but also coded the administrative server in the relatively obscure JPHP, a clone of the PHP Web language that runs on a Java virtual machine. The malware platform has become popular with entry-level hackers but has many of the features — such as a modular architecture and custom plug-ins — of better-known programs.
The malware may only be a niche threat, but the development of new — albeit, minor — attack tools highlights the fact that companies need to be vigilant, says Jim Simpson, director of threat intelligence at BlackBerry.
"Nothing makes it especially dangerous — it is another thing to be aware of and take the usual precautions over," he says, adding that companies should make sure that their end users are trained on spotting and reporting suspicious emails and that multifactor authentication is deployed. "It is likely someone, seeing a gap in the market for a cheaper toolset, created something that would work for people looking to fill that need."
Yet the low, low price of the software has rung some warning bells for researchers. In the world of legitimate software, open source and free is the name of the game, but profit-minded cybercriminals offering bottom-of-the-barrel pricing is an anomaly, the researchers said.
"This price range is a curious feature, as it makes it seem like the author is not particularly profit-driven," the BlackBerry researchers stated in the analysis. "It could be that they’re simply casting a wide net, trying to get a little money from a lot of maliciously minded people. It could also be that they have an alternative source of funding, or this is a passion project rather than their main source of income."
Simpson notes that a lone-wolf operator has lower operating costs and overhead, so that could lead to lower prices. In addition, while the original price had been set at 500 rubles, the devaluation of the Russian currency led the developer to set the latest prices in US dollars.
"If you pay a pittance for something, you would be wise to expect it to be less functional or poorly supported, but DCRat seems to break that rule in a way that’s deeply perplexing," the researchers said. "This RAT's code is being improved and maintained daily. If the threat is being developed and sustained by just one person, it appears that it’s a project they are working on full-time."
Inside the World of the Dark Crystal (RAT)
The Dark Crystal malware first appeared at least as early as 2018, with the program written in Java, according to a May 2020 analysis by incident response firm Mandiant. In 2019, the developer added a customized plug-in frameworks and redesigned the program using C#. In 2020, the program had at least 50 different commands and had caught the attention of incident responders, according to Mandiant's analysis.
The DCRat malware has three different components: A malicious program that runs on the compromised systems, a single webpage written in PHP that acts as the command-and-control interface, and the administrator tool written in JPHP, an uncommon programming language typically used by beginning programmers interested in games. The use of JPHP is likely because the developer is conversant in that programming language rather than because of any specific advantage, BlackBerry's Simpson says.
"The client itself is now .NET based," he says. "It’s only the admin panel — server-side — that is developed in JPHP, and it’s unlikely chosen for its obfuscation, more likely for its ease of development and portability between operating systems."
The evolution of DCRat fits right in with the trend of groups moving to create their own infrastructure, with the goal of turning access, compromise, and ransomware into services. While some remote access platforms — such as the industrial control system (ICS)-focused Pipedream — are the product of teams sponsored by nation-states, others come from smaller groups of cybercriminal operators that are focused on staying ahead of defenders and reverse engineers, just like DCRat.
The REvil malware, for example, has returned from the dead, after international investigators and law-enforcement agencies disrupted the group and Russia arrested some of the group's members. A recent ransomware sample and reconstituted infrastructure suggest that someone, or some group, with connections to the previous operators are now reviving the ransomware-as-a-service (RaaS) offering.
While DCRat's cut-rate malware does not measure up to many threats, the attack tool is frequently being improved, and threat-intelligence analysts should keep an eye on its evolution, the BlackBerry team noted.