Cybersecurity researchers have disclosed a new malware campaign that leverages a malware loader named PureCrypter to deliver a commodity remote access trojan (RAT) called DarkVision RAT.
The activity, observed by Zscaler ThreatLabz in July 2024, involves a multi-stage process to deliver the RAT payload.
“DarkVision RAT communicates with its command-and-control (C2) server using a custom network protocol via sockets,” security researcher Muhammed Irfan V A said in an analysis.
“DarkVision RAT supports a wide range of commands and plugins that enable additional capabilities such as keylogging, remote access, password theft, audio recording, and screen captures.”
PureCrypter, first publicly disclosed in 2022, is an off-the-shelf malware loader that’s available for sale on a subscription basis, offering customers the ability to distribute information stealers, RATs, and ransomware.
The exact initial access vector used to deliver PureCrypter and, by extension, DarkVision RAT is not exactly clear, although it paves the way for a .NET executable that’s responsible for decrypting and launching the open-source Donut loader.
The Donut loader subsequently proceeds to launch PureCrypter, which ultimately unpacks and loads DarkVision, while also setting up persistence and adding the file paths and process names used by the RAT to the Microsoft Defender Antivirus exclusions list.
Persistence is achieved by setting up scheduled tasks using the ITaskService COM interface, autorun keys, and creating a batch script that contains a command to execute the RAT executable and placing a shortcut to the batch script in the Windows startup folder.
The RAT, which initially surfaced in 2020, is advertised on a clearnet site for as little as $60 for a one-time payment, offering an attractive proposition for threat actors and aspiring cyber criminals with little technical know-how who are looking to mount their own attacks.
Developed in C++ and assembly (aka ASM) for “optimal performance,” the RAT comes packed with an extensive set of features that allow for process injection, remote shell, reverse proxy, clipboard manipulation, keylogging, screenshot capture, and cookie and password recovery from web browsers, among others.
It’s also designed to gather system information and receive additional plugins sent from a C2 server, augmenting its functionality further and granting the operators complete control over the infected Windows host.
“DarkVision RAT represents a potent and versatile tool for cybercriminals, offering a wide array of malicious capabilities, from keylogging and screen capture to password theft and remote execution,” Zscaler said.
“This versatility, combined with its low cost and availability on hack forums and their website, has made DarkVision RAT increasingly popular among attackers.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
The Hacker News
