Unusual Malware Operation Deploys PureCrypter Loader for Distribution of DarkVision RAT
A novel cyber threat campaign has been unveiled that exploits a malware loading software named PureCrypter to disseminate a standard remote access trojan (RAT) dubbed DarkVision RAT.
An incident spotted by Zscaler ThreatLabz in July 2024 involves an intricate procedure to deliver the RAT payload.
“DarkVision RAT establishes communication with its command-and-control (C2) server through a distinct network protocol leveraging sockets,” according to the analysis by security analyst Muhammed Irfan V A stated.
“DarkVision RAT boasts a broad spectrum of directives and extensions enabling additional functionalities like keystroke logging, remote entry, password theft, audio recording, and screen snapshots.”
PureCrypter, initially brought to light in 2022, is a readily available malware loading tool that can be procured through a subscription model, granting users the capability to propagate information stealers, RATs, and ransomware.
The exact method employed for the initial intrusion to dispatch PureCrypter and subsequently DarkVision RAT remains under ambiguity, although it lays the groundwork for a .NET program responsible for deciphering and initiating the open-source Donut loader.
The Donut loader then proceeds to deploy PureCrypter, which ultimately unravels and inserts DarkVision, concurrently establishing persistence and appending the file pathways and process titles employed by the RAT to the Microsoft Defender Antivirus exclusions list.
The establishment of continuity is accomplished by arranging scheduled functions utilizing the ITaskService COM interface, startup keys, and fashioning a batch script containing an instruction to execute the RAT application and depositing a shortcut to the batch script in the Windows startup directory.
The RAT, which initially emerged in 2020, is promoted on a public website for as low as $60 for a single payment, providing an enticing prospect for threat actors and budding cyber offenders with limited technical proficiency seeking to unleash their own assaults.
Created in C++ and assembly (also known as ASM) for “optimum efficiency,” the RAT is replete with an expansive array of functionalities enabling process injection, remote shell, reverse proxy, clipboard management, keystroke logging, screenshot acquisition, and cookie and password retrieval from web browsers, among various other capabilities.
It’s also structured to gather system details and obtain additional add-ons dispatched from a C2 server, expanding its functionality further and granting the operators complete dominion over the affected Windows system.
“DarkVision RAT signifies a formidable and adaptable instrument for cyber felons, providing an extensive range of malevolent capabilities, spanning from keystroke logging and screen grabs to password theft and remote execution,” as per Zscaler’s statement.
“The versatility of DarkVision RAT, coupled with its affordability and accessibility on hacking forums and their portal, has contributed to its rising popularity among malevolent actors.”
About Author
