Skip to main content

Dark Crystal Remote Access Trojan

First observed in early 2020, Dark Crystal (also known as DCRat) is an advanced C# and .NET based remote access trojan.

Threat ID:
CC-3451
Category:
Threat Severity:
Medium
Threat Vector:
Published:
14 May 2020 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

First observed in early 2020, Dark Crystal (also known as DCRat) is an advanced C# and .NET based remote access trojan.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

  • Microsoft Windows - All versions

Threat details

Dark Crystal affiliate users purchase it through a bespoke website accessible via the Tor network. Similarly to other malware-as-a-service tools, users are actually buying a builder application for Dark Crystal that allows them to customise it's configuration and deployment parameters. The builder also supplies a PHP file that is used to set up a command and control (C2) server for Dark Crystal. At the time of publication, several spam campaigns have been observed delivering Dark Crystal

Once delivered to a system, Dark Crystal will attempt to ensure persistence by editing several registry keys and injecting itself into a running process. It will then connect to the specified C2 server and await further commands. By default, Dark Crystal is able to:

  • collect system and user information
  • download, install, edit, delete, or transfer files
  • record audio, video, and user inputs (mouse/keyboard)
  • enumerate network drive numbers
  • execute shell commands
  • spawn and terminate process
  • open URLs

A number of additional plugins to enhance Dark Crystal's capabilities are also available for purchase through it's website.

Remediation steps

Type Step

To prevent and detect a trojan infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Main indicators

URLs

  • domalo[.]online
  • dcrat[.]ru
  • ipinfo[.]ip

Filepaths

  • %APPDATA%\<random process name>.exe
  • %APPDATA%\dotNET.lnk
  • C:\<random process name>.exe
  • C:\Sysdll32.lnk
  • Start Menu\Programs\Startup\dotNET.lnk
  • Start Menu\Programs\Startup\Sysdll32.lnk

Registry Keys

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\scrss
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Wininit

MD5 File Hashes

  • 047af34af65efd5c6ee38eb7ad100a01
  • bc2dc004028c4f0303f5e49984983352

Last edited: 29 June 2021 12:01 pm