Update 05.27.22: An unknown APT group is targeting Russian government entities with at least four separate spear-phishing campaigns since the beginning of the Ukraine conflict. Source: Security Affairs.
In the murky underworld of Russian crimeware, DCRat seems to be a bit of a dark horse. Unlike the well-funded, massive Russian threat groups crafting custom malware to attack universities, hospitals, small businesses and more, this remote access Trojan (RAT) appears to be the work of a lone actor, offering a surprisingly effective homemade tool for opening backdoors on a budget. In fact, this threat actor’s commercial RAT sells at a fraction of the standard price such tools command on Russian underground forums.
DCRat (also known as DarkCrystal RAT) is a commercial Russian backdoor that was first released in 2018, before being redesigned and relaunched a year later. Notably, this threat appears to have been developed and maintained by a single person going by the pseudonyms of “boldenis44,” “crystalcoder,” and Кодер (“Coder”).

Affiliate Marketing As A Business

Sold predominantly on Russian underground forums, DCRat is one of the cheapest commercial RATs we’ve ever come across. The price for this backdoor starts at 500 RUB (less than 5 GBP/US$6) for a two-month subscription, and occasionally dips even lower during special promotions. No wonder it’s so popular with professional threat actors as well as script kiddies.
This price range is a curious feature, as it makes it seem like the author is not particularly profit-driven. It could be that they’re simply casting a wide net, trying to get a little money from a lot of maliciously minded people. It could also be that they have an alternative source of funding, or perhaps this is a passion project rather than their main source of income. 
DCRat’s modular architecture and bespoke plugin framework make it a very flexible option, helpful for a range of nefarious uses. This includes surveillance, reconnaissance, information theft, DDoS attacks, as well as dynamic code execution in a variety of different languages.
The DCRat product itself consists of three components:
The administrator tool is a standalone executable written in the JPHP programming language, an obscure implementation of PHP that runs on a Java virtual machine. As with the examples discussed in our previous whitepaper discussing exotic programming languages used by malware writers, JPHP offers some potential benefits for making mischief.

As a programming language, JPHP’s target audience is primarily entry-level developers who make cross-platform desktop games. The ease of use, as well as the portability of its code, suits this purpose well. The malware author may have chosen this format because it’s not particularly well-known, or they might have lacked programming skills in other, more mainstream languages.
According to the JPHP documentation, this implementation “compiles PHP sources to Java Virtual Machine (JVM) bytecode, which can then execute on the JVM.” The JPHP project also provides a dedicated, Russian-language integrated development environment (IDE) called DevelNext. This IDE was used to develop the DCRat administrator tool, as well as some of the early versions of the DCRat client.
Location data available in public GitHub profiles indicates the core contribution team behind JPHP are overwhelmingly based in the Commonwealth of Independent States (CIS), an intergovernmental organization made up of twelve post-Soviet countries. The DCRat author’s decision to use JPHP may have stemmed from either an assumed level of trustworthiness, or simply from a belief that obtaining support for issues or enhancements related to the JPHP framework would have been easier to establish due to their shared familiarity with the Russian language.
The DCRat client binary – meant for delivering to victim’s machines – is written in .NET. Earlier versions were written in JPHP, like the administrator tool. This was likely done to streamline and optimize the client component. JPHP is rather slow, as it runs on the JVM. And the distributed malware is much smaller, since it doesn’t have to include all the JPHP libraries.
DCRat is built around a modular architecture that incorporates a plugin framework. Affiliates can generate their own client plugins, which can be downloaded and used by subscribers. (We’ve included a list of the current plugins in the “Plugins” section, later on in this blog.)
The RAT currently seems to be under active development. The administrator tool and the backdoor/client are regularly updated with bug fixes and new features; the same applies to officially released plugins.
During recent months, we’ve often seen DCRat clients being deployed with the use of Cobalt Strike beacons through the Prometheus TDS (traffic direction system). Prometheus is a subscription-based malware service that has been used in many high-profile attacks, including campaigns against U.S. government institutions in 2021.
A detailed analysis of the DCRat client was published by Mandiant in May 2020. Just days after this report was released, the malware author shifted distribution of the RAT to a new domain. It’s clear that cybercriminals are becoming more aware of publicity from media and the security community, and they’re getting used to making swift changes in response to this unwanted exposure.
It’s worth noting that there is a second open-source RAT that also goes by the name DcRAT, which can be found in GitHub repository of user “qwqdanchun.” This is most likely a completely unrelated project. While it doesn’t bear many code similarities to DCRat, it may have been an inspiration for – or inspired by – the threat.
The DCRat bundle, its plugins, plugin development framework, and additional tools are currently hosted on crystalfiles[.]ru. These components have been moved there from their previous location at dcrat[.]ru. The crystalfiles website features a simple interface, as seen in Figure 1 below, and it serves only as the download point for the RAT. It has no additional information or resources for potential or existing clients.
It’s possible that the RAT is also sold on other restricted-access forums or on the dark web. The DCRat archives have been spotted on other URLs, and they’ve been shared through Discord instant messaging. The most common file name for distribution, across different versions of the RAT, seems to be “1ac770ea1c2b508fb3f74de6e65bc9c4.zip.”
All news and updates for DCRat are announced through a dedicated Telegram channel, as seen in Figures 3 and 4 below. At the time of writing, the channel had almost 3k subscribers.
Besides the DarkCrystalRAT Telegram account, there are also two Telegram bots: one for processing sales requests (“DCRatSeller_bot”), and one for technical support (“CrystalSupport_bot”).
The latest prices for DCRat licenses (excluding any temporary discounts) are: 

  • 500 RUB / US$5 for two-month license
  • 2200 RUB / US$21 for a year
  • 4200 RUB / US$40 for a lifetime license

While the DCRat developer posts as Кодер ("Coder") on the lolz[.]guru forum (as shown in Figure 5), their Telegram handle is “@boldenis” and their GitHub username is “boldenis44” (based on a resource link buried in the DCRat source code shown in Figure 6). They must have used the latter name on lolz[.]guru at some point, as some users still refer to them as such. They list their email address as crystalcoder[at]exploit[.]im. The date of birth and address listed on their profile shown in Figure 5 below are most likely fake.
The lolz[.]guru forum profile indicates the developer is Russian and works alone.
The description in Russian translates roughly to “I steal data, I work on ru, uk and what?” It’s not entirely clear what this means, though it’s likely they’re bragging about stealing data from Russia, the UK, and possibly other countries.
The photo in this profile comes from a 2014 German hacker movie called “Who Am I: No System is Safe.” This photo has recently been changed – the cached version of this website shows an image (see Figure 9) that is a relatively popular depiction of a hacker, and the Russian sentence that somewhat cryptically translates to: “I drive SS into Dark.”
This is most likely a coincidence, as the njRAT profile is written by someone who speaks Arabic, not Russian.
There was another profile on the VKontakte site that has been spotted mentioning the crystalfiles[.]ru URL, as shown in Figure 11, which was for Rodion Balkanov (Родион Балканов): https[:]//vk[.]com/bagyuvix. However, this account has since been removed and is no longer available.
Although the DCRat project appears to have started several months in advance, a larger scale marketing campaign took place in September 2019, when the Telegram channel was created and the dcrat[.]ru domain registered. Shortly after this, the RAT got significantly redesigned to support plugins in a bespoke format.
The next major release came in May 2020 (version 3.0), followed by version 4.0 in March 2021. In between major releases, the RAT got smaller updates and bug fixes on a very regular basis, hinting that the author was highly engaged with his creation during this timeframe, as shown below.
New plugins and minor updates are announced almost every day. 

The malware author chose to develop the RAT’s administration tool in JPHP using a niche Russian IDE called DevelNext. DevelNext compiles the PHP program into a Java bytecode, which can then be executed on the JVM. 
According to its GitHub page, the IDE is still in the beta stage, and it’s only available in the Russian language at this point. In the past, we’ve seen very few malware samples written in JPHP, because the executables it produces are both exceptionally large and slow to run. 
One example of malware using this IDE is a rudimentary backdoor called IceRAT, discovered in early 2020. This malware targeted Russian-speaking victims by installing crypto-mining software on their endpoints. An older example is one that was written for OSX as part of a campaign targeting Jaxx cryptocurrency wallets, which was discovered in 2018.
The administrator tool comes as a ZIP archive with the following structure:
File name
Admin launcher (created using Launch4j wrapper)
Admin updater tool
Script that executes dcrat_updservice.exe
Audio file with notification sound (2.5 sec)
Location of helper utilities
Contains DeleteAll_legacy.json file
Location of all the Java modules of the builder
Used to store downloaded plugins; by default, contains only a test plugin
Empty directory used to store user’s saved profiles
SHA256 hash
JSON module
Main builder module
GUI module
JPHP core module
zend module
jfoenix module
javafx module
Google gson module
PHP module
JPHP PHP runtime module
XML module
JPHP SDK module
javafx module
objectweb asm module
 app.name = DCRat2.0
 app.uuid = fabb4b64-bb3a-4418-a495-a0e669188d81
 app.version = 1
 # APP
 app.namespace = dct
 app.mainForm = MainForm
 app.showMainForm = 1
 app.fx.splash.autoHide = 0
File name
Legit 7zip DLL
DCRat EXE obfuscator
DCRCC.exe, DarkCrystalRATCSharpCompiler.exe
DCRat compiler
Part of WinRAR
Part of .NET Reactor
Part of .NET Reactor
Part of .NET Reactor
Part of WinRAR, signed
Part of WinRAR, signed
Part of WinRAR, signed
Part of WinRAR, signed
Part of WinRAR
DNLib – .NET assembly reader/writer library
Part of .NET Reactor
Part of .NET Reactor
Script used to encode VBS scripts
UPX 3.96 Windows 32-bit
Part of WinRAR, signed
Instead of Java class files, the JPHP JAR archives are composed mainly of PHB files.
PHB is a custom file format used exclusively by JPHP. PHB files are simply archives that contain uncompressed, unencrypted Java class files and a PHB header. Each Java class file is preceded by a class file header, containing information such as module name, method names, PHP file path, and the class file length.
Class files can be extracted with the following Python script, then decompiled using tools such as JAD or jd-gui.
import os
import sys
import struct
in_file = sys.argv[1]
out_dir = os.path.splitext(in_file)[0] + "_extracted"
in_size = os.path.getsize(in_file)
with open(in_file, ‘rb’) as f:
  buf = f.read()
  magic = b’xCAxFExBAxBE’
  offsets = [i for i in range(len(buf)) if buf.startswith(magic, i)]
  count = 0
  for of in offsets:
    file_name = os.path.splitext(in_file)[0] + "_" + str(count) + ".class"
    f.seek(of – 4)
    class_len = struct.unpack(‘>i’, f.read(4))[0]
    file_data = f.read(class_len)
    with open(os.path.join(out_dir, file_name), "wb") as f2:
    count += 1
The DCRat administrator tool, shown below in Figure 14, prevents unauthorized use through a series of online license checks. Once these checks succeed, the administrator interface becomes available.
The checks consist of HTTPS queries to the hardcoded domain dcrat[.]ru.
The first validation check transmits a random 64-character value, hashed and Base64-encoded prior to transmission. The response from the C2 server must contain the same value, and it must be similarly hashed and encoded to be considered valid. This exchange provides rudimentary peer validation, ensuring the administrator tool is communicating with a genuine DCRat license server.
A second HTTPS request authenticates the computer on which the administrator tool is running, as shown in Figure 15. A handful of host properties are collected to generate a unique fingerprint. This is transmitted to dcrat[.]ru and will (presumably) match against a valid subscriber entry.
The administrator tool also performs an unusual final HTTPS check to a public resource hosted on GitHub, under the personal space of “boldenis44.” The query and response functions have a global “kill switch,” as shown in Figure 16. At the DCRat author’s discretion, flipping this switch would render all instances of the DCRat administrator tool unusable, irrespective of subscriber license validity (so much for that “lifetime license”!).
This kill switch feature was found in separate administrator tool builds dated mid-2021 and early 2022.
The administrator tool allows a subscriber to take the following actions:
Login needs to be performed to an active C2 server hosting the backend PHP, as shown in Figure 17.
Login parameters follow an obscure syntax:
For reasons that are not entirely clear, the DCRat author implemented a function that displays a randomly generated number of “Servers working” and “Users online” that are meant to appear as statistics in the background of the administrator tool. It could be that they are trying to make their tool appear more popular, or that they just didn’t know how to implement an accurate counter and have employed a pseudo-counter in the meantime as a placeholder.
Following authentication, the administrator tool begins polling the C2 for details of connected and infected hosts.
Functions are grouped using tabs, as shown in Figure 18:
This tab lists the active/registered installations of DCRat client running on infected hosts. The list is updated using a periodic poll to the C2.
This tab is where the threat actor can configure (and generate) builds of the DCRat client executable. In the analyzed version of the administrator tool, the “core” of the client is downloaded from the dcrat[.]ru domain as a Base64 string, becoming input for “DCRCC.exe.”
These are the available parameters for configuration: 
Configure and build a DCRat loader binary. Support is provided for a range of stackable “Actions” combining to determine runtime behavior:
Provides file upload and Netscape to JSON cookie converter.
Configure Builder settings: 
Canned reports to query DCRat client installations (country, Windows version, etc.) 
We cannot confirm at present what this function is for. It’s possible that this is a direct remote control/terminal client to an infected host.  
Submit bug report to DCRat maintainer(s). 
Configure Tasks to be executed on one or more DCRat clients. Tasks can be Saved (exported) or Loaded (imported) from text file. Tasks are stored as a reversed Base64 string. 
Configure Tasks to be performed on all registered DCRat clients. 
In this section we review the features of the DCRat client (stealer) and the DCRat Loader. Runtime behavior for both is configured using the DCRat administrator tool.
The administrator tool provides a function to generate a DCRat “Loader” executable. In the version we analyzed, generation of a loader in DLL format was not supported. It’s conceivable the author could add this support in newer builds.
The behavior of the Loader when executed is configured via one or more canned “Actions,” as shown in Figure 20. A typical build might be a combination of “Download File,” “Wait” and “Execute File,” which would silently pull down a file and then run it after waiting long enough to avoid arousing suspicion.
The source code for the Loader is embedded within the administrator tool as a series of Base64 strings that decode to reveal C# source code. Code for the executable is selected based on the Actions chosen by the user. The bundled “DCRCC.exe” generates the executable.
If selected, the generated executable will be protected using DotNET Reactor:
“-control_flow_obfuscation 1 -flow_level 9 -resourceencryption 1 -stringencryption 1 -suppressildasm 0 -all_params 1 -obfuscate_public_types 1 -exception_handling 0”
Persistence for DCRat is limited to common Windows "autorun” locations:
The client executable copies itself to the System drive root (e.g., C:) using the name of a randomly chosen running process, excluding “svchost.exe.”
DCRat’s config is embedded in the client binary as a Base64-encoded string resource. It has a JSON format and contains C2 URLs, a tag, a mutex name and a few execution options, as well as plugin-specific configuration options for included plugins.
Primary C2 URL
Secondary C2 URL
A tag specified at build time (e.g., victim ID, campaign ID, etc.)
Mutex name; by default it’s a random alpha-numeric value preceded by "DCR_MUTEX-" prefix, but it can be set to any string
Debugging on/off
Build cache storage size
Exact use unknown; controls file rename/persistence behaviour
Auto-stealer on/off
Auto-keylogger on/off
Auto-uninstall on/off
Plugin-specific configuration options
As part of initial registration, the DCRat client reports a range of host attributes to its C2. This information is determined using a combination of WMI, .NET-provided instrumentation classes, and Windows registry queries:
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.93 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.55 Safari/537.36 Edg/96.0.1054.34",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53",
"Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 OPR/81.0.4196.60",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29",
"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0"
The Stealer functions of DCRat are pre-configured using the administrator tool “Builder.” Stealer “Tasks” define the sequence of operations carried out during theft of stored information: 
DCRat can steal from the following sources (including those pictured in Figure 22):
The Stealer component is also capable of running bespoke plugins, making it extensible to accommodate information malware authors find on specific targets.
The DCRat Stealer contains primitive, multi-threaded code to perform different forms of DOS attacks – including HTTP(S) POST, UDP and TCP – to a specific host and endpoint combination. 
Common to many malware families, DCRat employs the use of Windows command line tools to perform execution delays. Associated with the execution of DCRat client are invocations of the Windows command line tool for time service configuration, w32tm. When configured with suitable command line arguments, as shown in Figure 23, it can act as a delay mechanism. In the case of DCRat, arguments are passed that act as 10 second delays. Coincident instances of w32tm in endpoint XDR could be a possible, albeit somewhat weak, signal of DCRat client execution:
Plugins can be designed by third-party developers with the use of a dedicated IDE called DCRat Studio. Official plugins are available to download from crystalfiles[.]ru (as shown in Figure 24) and their functionality includes data exfiltration/credential stealing, system manipulation, and cryptocurrency mining.
To harness the power of crowd-sourced development and to encourage an ecosystem of plugins that target different information stores, DCRat subscribers have access to a list of supported third-party plugins. The precise inner workings of each plugin are unknown, but the name of each does provide an indicator of function:
The biggest, flashiest threat groups might get their name in lights, but they aren’t necessarily the cybercriminals that keep security practitioners up at night. The scary, cutting-edge threats that come out of those advanced and well-funded threat groups do occasionally cause headaches for those of us who aren’t guarding state secrets or ridiculous amounts of money. But miscreants with too much time on their hands can often cause just as much hassle.
Generally speaking, you get what you pay for, even in malware. If you pay a pittance for something, you would be wise to expect it to be less functional or poorly supported. But DCRat seems to break that rule in a way that’s deeply perplexing. 
This RAT’s code is being improved and maintained daily. If the threat is being developed and sustained by just one person, it appears that it’s a project they are working on full-time.

There are certainly programming choices in this threat that point to this being a novice malware author who hasn’t yet figured out an appropriate pricing structure. Choosing to program the threat in JPHP and adding a bizarrely non-functional infection counter certainly point in this direction. It could be that this threat is from an author trying to gain notoriety, doing the best with the knowledge they have to make something popular as quickly as possible.

While the author’s apparent inexperience might make this malicious tool seem less appealing, some could view it as an opportunity. More experienced threat actors might see this inexperience as a selling point, as the author seems to be putting in a lot of time and effort to please their customers.

DCRat Stealer; Delay Command; Process/.BAT invocation:
“w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2”

DCRat Stealer; Self Preservation; Windows Registry changes:
    REG_DWORD: “DisableTaskMgr”:1
DCRat Stealer; Persistence; Windows Registry:
    HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogon
    REG_SZ: “Shell”: “explorer.exe, %STEALER_EXE_PATH%”
HKCU|HKLMSoftwareMicrosoftWindowsCurrentVersionRun: <STEALER_EXE_PATH>
DCRat Stealer; Persistence; Windows Scheduled Tasks:
schtasks.exe /create /tn <STEALER_EXE_NO_EXTENSION> /sc ONLOGON /tr <STEALER_EXE_PATH> /rl HIGHEST /f
schtasks.exe /create /tn <STEALER_EXE_NO_EXTENSION> /sc minute /mo <RND_MIN5_MAX15> /tr <STEALER_EXE_PATH> /f
DCRat Stealer; Host Fingerprint; WMI Queries:
SELECT * FROM AntivirusProduct: displayName
SELECT * FROM FirewallProduct: displayName
SELECT * FROM Win32_BIOS: Manufacturer
SELECT * FROM Win32_BaseBoard: Manufacturer, SerialNumber
SELECT * FROM Win32_Processor: Name
SELECT * FROM Win32_ComputerSystem: TotalPhysicalMemory
SELECT * FROM Win32_VideoController: Name, AdapterRAM
SELECT * FROM Win32_PnPEntity WHERE (PNPClass = ‘Image’ OR PNPClass = ‘Camera’)
DCRat Stealer; Host Fingerprint; Windows Registry:
READ: HLKMSOFTWAREMicrosoftNET Framework SetupNDPv4FullRelease
READ: HKLMSYSTEMControlSet001ControlClass {4d36e968-e325-11ce-bfc1-08002be10318}<SUBKEY_1..SUBKEY_N>{AdapterString,DriverDesc,qwMemorySize}
DCRat Stealer; Runtime; Mutex (Default format, if not overridden):
DCRat Builder/Admin Tool; C2 Network Traffic:
    DNS + HTTPS: dcrat[.]ru, crystalfiles[.]ru
The BlackBerry Research & Intelligence team examines emerging and persistent threats, providing intelligence analysis for the benefit of defenders and the organizations they serve.
© 2022 BlackBerry Limited. All rights reserved.


/ Uncategorized

Leave a Reply

Your email address will not be published. Required fields are marked *