Novel Malware Operation Deploys PureCrypter Loader to Dispatch DarkVision RAT
A brand-new malware operation has been uncovered by cybersecurity researchers, utilizing a malware loader named PureCrypter to distribute a common remote access trojan (RAT) known as DarkVision RAT.
The observed activity, documented by Zscaler ThreatLabz in July 2024, showcases a complex multi-step process for delivering the RAT payload.
“DarkVision RAT establishes communication with its command-and-control (C2) server via a specialized network protocol using sockets,” outlined security researcher Muhammed Irfan V A explained in an analysis.
“DarkVision RAT offers support for a wide variety of commands and plugins, allowing for additional functionalities like keylogging, remote access, password pilferage, audio recording, and screen captures.”
PureCrypter, publicly disclosed initially in 2022, serves as an off-the-shelf malware loader readily available for purchase on a subscription basis, providing clients with the means to disseminate information stealers, RATs, and ransomware.
The exact method of initial access employed to deploy PureCrypter and subsequently DarkVision RAT remains unclear; however, it involves the introduction of a .NET executable responsible for decrypting and initiating the open-source Donut loader.
Following this, the Donut loader takes over to trigger PureCrypter, which in turn unpacks and activates DarkVision, while also establishing persistence and appending the file paths and process names employed by the RAT to the Microsoft Defender Antivirus exclusions list.
The achievement of persistence entails the configuration of scheduled tasks utilizing the ITaskService COM interface, autorun keys, and the establishment of a batch script containing a directive for executing the RAT executable, followed by placement of a shortcut to the batch script in the Windows startup folder.
The RAT, which emerged initially in 2020, is being advertised on a clearnet platform for as low as $60 for a single payment, presenting an enticing opportunity for threat actors and budding cybercriminals with minimal technical proficiency seeking to launch their own operations.
Constructed in C++ and assembly (also known as ASM) for “optimized performance,” the RAT boasts an extensive range of functionalities enabling process injection, remote shell, reverse proxy, clipboard alteration, keylogging, screenshot capturing, as well as cookie and password retrieval from web browsers, among other capabilities.
It’s also structured to gather system details and receive additional plugins transmitted from a C2 server, augmenting its capabilities further and granting operators complete dominance over the compromised Windows machine.
“DarkVision RAT stands as a potent and adaptable tool for cybercriminals, offering a diverse range of malevolent functionalities, spanning from keylogging and screen capture to password theft and remote execution,” Zscaler remarked.
“The blend of flexibility, affordability, and easy access in hack forums and their website has led to an escalating popularity of DarkVision RAT among attackers.”
About Author
