Rewterz Threat Alert – DarkCrystal RAT (DCRat) Targeting Ukrainian Telecommunications Operators – Active IOCs- Russian-Ukrainian Cyber Warfare

Severity

High

Analysis Summary

DCRat – a Russian backdoor, was initially introduced in 2018, but rebuilt and relaunched a year later. The DCRat backdoor appears to be the product of a single threat actor who goes online with the pseudonyms of “boldenis44,” “crystalcoder,” and Кодер (“Coder”). 

DCRat is one of the cheapest commercial RATs. For a two-month membership, the price starts at 500 RUB (less than 5 GBP/US$6), and it periodically drops even cheaper during special offers. This is written in .NET and features a modular structure, allowing affiliates to create their own plugins using DCRat Studio, a dedicated integrated development environment (IDE).

The malware’s modular architecture allows it to be extended for a variety of nefarious objectives, including surveillance, reconnaissance, data theft, DDoS attacks, and arbitrary code execution.

The DCRat consists of three parts:

• A stealer/client executable
• The command-and-control (C2) endpoint/ interface is a single PHP page
• An administrator tool

The malware is still in development, the author announces any news and updates through a dedicated Telegram channel with about 3k users updated with any news and changes.

Recently, the DarkCrystal RAT has been used in attacks against Ukrainian telecom operators, according to the Ukrainian Response Team. The malspam messages employ the password-protected attachment “Algorithm of actions of members of the family of a missing serviceman LegalAid.rar” with the subject line “Free main legal aid.”

According to them,
When the “Algorithm LegalAid.xlsm” file is opened, and the macro is enabled, a PowerShell command will be executed. The malware DarkCrystal RAT will be downloaded and launched by the script, which will also download and run the.NET bootloader “MSCommondll.exe.” 
Based on the information, it is assumed that this attack is directed against operators and wireless providers of Ukraine.

Impact

Data Theft
Exposure of Sensitive Data

Indicators of Compromise

Domain Name

• datagroup[.]ddns[.]no

MD5

• 203[.]96[.]191[.]70
• 31[.]7[.]58[.]82

MD5

• b726312450e28faa38396736be1b00fb
• fd2e0ec9021783dba1c9744fa730e5b9
• 19bbb1b94f66609cbd80945c14486e93

SHA-256

• 2b2438aa8da7c23e714f2d7a196d82ed52914c9353ef9fded01448216bd858ff
• 471af7ed687ef875c6118ec2f440f0dea9a434b54d81b7946f58505676f7c589
• 7cffb54cb07db2f4104b8764ff15799111d06ea81d9c74c09134c61341d74202

SHA-1

• 805a8f5e68c84b45d14250ecd199e15c2c14fc9a
• 1ccb921ca679b14771a5959d4835abcc62ea18ac
• 5a37c52dc94da852dd3c0e674d78b2bb6ec38f41

URL

• http[:]//plexbd[.]net/MSCommonDriver[.]exe
• http[:]//plexbd[.]net/MSCommondll[.]exe
• https[:]//datagroup[.]ddns[.]net/PythonHttpGeolongpolldefault[.]php

Remediation

• Block the threat indicators at their respective controls.
• Search for IOCs in your environment.