Agent Tesla Malware – Active IOCs
January 13, 2025Multiple Juniper Networks Products Vulnerabilities
January 13, 2025Agent Tesla Malware – Active IOCs
January 13, 2025Multiple Juniper Networks Products Vulnerabilities
January 13, 2025Severity
Medium
Analysis Summary
DCRat, a Russian backdoor, was initially introduced in 2018 but rebuilt and relaunched a year later. The DCRat backdoor appears to be the product of a single threat actor who goes online with the pseudonyms of “boldenis44,” “crystalcoder,” and Кодер (“Coder”).
DCRat is one of the cheapest commercial RATs. For a two-month membership, the price starts at 500 RUB (less than 5 GBP/US $6), and it periodically drops even cheaper during special offers. This is written in .NET and features a modular structure, allowing affiliates to create their plugins using DCRat Studio, a dedicated integrated development environment (IDE).
The malware's modular architecture allows it to be extended for a variety of nefarious objectives, including surveillance, reconnaissance, data theft, DDoS attacks, and arbitrary code execution.
The DCRat consists of three parts:
- A stealer/client executable
- The command-and-control (C2) endpoint/ interface is a single PHP page
- An administrator tool
The malware is still in development, the author announces any news and updates through a dedicated Telegram channel with about 3k users updated with any news and changes.
To protect against the DarkCrystal RAT and similar threats, it is important to regularly update software and security patches, implement multi-factor authentication, be cautious when opening emails and attachments, and regularly back up important data. It is also important to run anti-virus software and to be aware of the signs of a RAT infection, such as unusual system activity or slow performance. If a system is suspected of being infected with the DarkCrystal RAT or any other RAT, it is important to take immediate action to isolate the system and to seek professional assistance in cleaning up the infection.
Impact
- Unauthorized Remote Access
- Keylogging
- Sensitive Information Theft
- Credential Theft
Indicators of Compromise
MD5
02d4afb627db486201d4700854e390d9
79893ef0d65e23527017d1f9feaf0331
183cb9283d9c8f6282283bd39f49d33c
dabf40b2ed8d96638f713f6373ef64cb
d49f9a9a6f4d5c60ae2c35aafe7d105a
bae83c597a9f76e1a42b833f108c8c9a
SHA-256
46cf8f5e46c3dbdd32c5f300f6fd395a7f12c0ec611de9e518bf7312f187590c
765a4d3d78bfe581a988e5a2934671b045e989afd02b995000325c347b16fa5e
d169e5e99edef6f5c3619faee33bddd20978f514bdc3448b8655fd06ea5f5984
0a0eebfca8553e921339c90b0060ceb6adcbc5f747696b1abecd376f50283911
91a5d06a6ddc1dbc0d573871082b21c0ef5d260987d760bff9b1d19966d0c32d
46f77240e4a469bf38e0600e95edf6de249ede13f5a41de3702af584a69b7761
SHA1
f63533f82c2a434f9104ccc9beee3216796aeb14
3cd6d4a35b0be0811d731a43583856775e2f0647
76674564064d31bb9d37f802bdec3821d4a55d89
4c9479e54b394722bdaeff1b36d903502cd1b1fe
8a192f01c06d2b67437c8789bdf564864d11eefc
c0be6ab84266d366d22b28c5bc0d68f2be525fc1
Remediation
- Block all threat indicators at your respective controls.
- Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
- Emails from unknown senders should always be treated with caution.
- Never trust or open links and attachments received from unknown sources/senders.
- Enable antivirus and anti-malware software and update signature definitions on time. Using multi-layered protection is necessary to secure vulnerable assets.
- Patch and upgrade any platforms and software on time and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.