Hackers sell Remote Access Trojan (RAT) subscriptions to other malicious actors to generate revenue. These subscriptions provide buyers with unauthorized access to compromised computers.
This enables them to control and monitor the infected devices remotely. The underground market for RAT subscriptions allows threat actors to exploit compromised systems for various malicious activities.
Technical analysis
DCRat has been a powerful and active malware since 2018 that grants full Windows backdoor access, collects sensitive data, captures screenshots, and steals Telegram, Steam, and Discord credentials.
Underestimating the complexity of this powerful malware could risk major security breaches and data loss.
Underground sites show that DCRat is becoming more and more popular. Even though it’s cheap, it has a lot of spying features, such as the ability to access social network accounts.
This RAT is customizable for specific objectives and its constantly mutating code helps threat actors in evading signature-based detection.
Due to these key versatilities, it’s been actively used by both beginner and expert threat actors.
Flow of Infection
Here below we have mentioned the payment page for DCRat that was hosted on:-
Payment page
The team behind DCRat is quite cautious about their OPSEC, and for this:-
-
They do all communication through Telegram.
-
They only accept crypto payments to burner wallets.
-
They use crystalpay[.]io to anonymize transactions further.
DCRat loader is identified as an SFX file by tools like “Detect It Easy.” The SFX files are typically used for software installation and execute embedded scripts to extract and run files without user knowledge.
Detect It Easy
The .NET app obfuscation alters source code to hide the understanding, though tools like DnSpy aid analysis. While studying DCRat’s “Upload” function, it reveals the C2 server address by examining decompiled source code.
Decompiled .NET code has unique namespaces for security and communication functions. Namespace ns12 decrypts malware configuration, while dgz handles C2 communication decryption.
Document
Try ANY.RUN Yourself with a 14-day Free Trial
Subscription Model
Through a Telegram group, the sales of DCRat occur; in this Telegram group, the sales are held often. Besides this, it also uses a subscription model with the following typical prices:-
-
2 months: 5$
-
1 year: 19$
-
Lifetime: 39$
If we talk about the price tags then it’s completely not complainable, as the price tags are already inexpensive.
However, the price is reduced even further, and the developers behind this RAT deploy a Telegram bot to offer DCRat “licenses.”
About ANY.RUN
IOCs
-
DCRat SFX: 76de703cc14b6c07efe92f8f73f9b91e91dc0a48a0024cfdf72fca09cacb5157
-
DCRat: 5fe993c74d2fa4eb065149591af56011855a0a8f5471dab498d9e0f6641c6851
-
C2 domain: 019214cm[.]nyashland[.]top
-
C2: hxxp://019214cm[.]nyashland[.]top/EternalLineLowgameDefaultsqlbaseasyncuniversal[.]php
