A budget-friendly remote access trojan (RAT) that's under active development is selling on underground Russian forums for about $7 for a two-month subscription, according to BlackBerry researchers today.
The backdoor Windows malware, dubbed DCRat or DarkCrystal RAT, was released in 2018, then redesigned and relaunched the following year. An individual who goes by the handles boldenis44, crystalcoder, and Кодер (Coder) developed the RAT, we're told, and works to improve it on a daily basis.
Despite its bargain price, and being the work of a lone developer as opposed to custom malware sold by a well-funded, sophisticated crime-ring, miscreants can perform a range of nefarious acts with DCRat due to its modular architecture and plugin framework. This includes espionage and data theft, distributed denial of service attacks, and dynamic code execution in several different languages, the BlackBerry research team wrote in their analysis.
DCRat is expected to be deployed within a network once a miscreant has broken in, such as by exploiting some vulnerability, or obtaining or guessing a user's credentials. The tool is used to remotely control compromised systems, and copies can only be used while a paid-for subscription is active. The product consists of three components:
"The RAT currently seems to be under active development," according to the BlackBerry research team. "The administrator tool and the backdoor/client are regularly updated with bug fixes and new features; the same applies to officially released plugins."
The DCRat administrator tool is written in JPHP, which is rare, because it produces very large, slow executables, the security researchers noted. It also has a kill switch, that, if flipped, renders all instances of the administrator tool unusable.
However, once the subscription validation checks are completed, and assuming the kill switch isn't flipped, the malware subscriber can use the administrator tool to communicate with the command-and-control server, configure builds of the client executable, and even submit bug reports to the DCRat author. And the entire bundle, along with plugins, plugin development framework, and other tools are hosted on crystalfiles[.]ru.
Previously, they were located at dcrat[.]ru, until a Mandiant analysis in May 2020 prompted the malware author to move the software nasty to a new domain.
The security researchers also noted that in recent months, DCRat clients are being deployed with Cobalt Strike beacons through the Prometheus TDS (traffic direction system).
While the marketing, sales, and some pre-sale queries are done through Russian cybercrime forum lolz[.]guru, BlackBerry said DCRat may be sold on other forums or on the dark web:
The most common file name for distribution, across different versions of the RAT, seems to be 1ac770ea1c2b508fb3f74de6e65bc9c4[.]zip.
Updates are announced via a Telegram channel, which has about 3,000 subscribers.
And the pricing, excluding any promotional discounts, which the malware author sometimes offers, are:
Both the product's low price, plus the author's use of JPHP indicate "a novice malware author who hasn't yet figured out an appropriate pricing structure," BlackBerry's analysts stated. However, this doesn't mean that DCRat should be ignored.
"Generally speaking, you get what you pay for, even in malware. If you pay a pittance for something, you would be wise to expect it to be less functional or poorly supported," it said. "But DCRat seems to break that rule in a way that's deeply perplexing."
The software nasty seems to be a full-time job for the lone developer, who puts in "a lot of time and effort to please their customers," the team wrote.
"This underscores the idea that it's not just the Contis and REvils of the world that security practitioners have to worry about, they concluded: "Miscreants with too much time on their hands can often cause just as much hassle."
The Blackberry team has shared indicators of compromise and other technical details should you wish to scan your network for this malicious code. ®
Right-to-repair advocates are applauding the passage of New York's Digital Fair Repair Act, which state assembly members approved Friday in a 145–1 vote.
The law bill, previously green-lit by the state senate in a 49-14 vote, now awaits the expected signature of New York Governor Kathy Hochul (D).
Assuming the New York bill becomes law as anticipated, it will be the first US state legislation to address the repairability of electronic devices. A week ago, a similar right-to-repair bill died in California due to industry lobbying.
The Russian-based Evil Corp is jumping from one malware strain to another in hopes of evading sanctions placed on it by the US government in 2019.
You might be wondering why cyberextortionists in the Land of Putin give a bit flip about US sanctions: as we understand it, the sanctions mean anyone doing business with or handling transactions for gang will face the wrath of Uncle Sam. Evil Corp is therefore radioactive, few will want to interact with it, and the group has to shift its appearance and operations to keep its income flowing.
As such, Evil Corp – which made its bones targeting the financial sector with the Dridex malware it developed – is now using off-the-shelf ransomware, most recently the LockBit ransomware-as-a-service, to cover its tracks and make it easier to get the ransoms they demand from victims paid, according to a report this week out of Mandiant.
Australia's federal police and Monash University are asking netizens to send in snaps of their younger selves to train a machine-learning algorithm to spot child abuse in photographs.
Researchers are looking to collect images of people aged 17 and under in safe scenarios; they don't want any nudity, even if it's a relatively innocuous picture like a child taking a bath. The crowdsourcing campaign, dubbed My Pictures Matter, is open to those aged 18 and above, who can consent to having their photographs be used for research purposes.
All the images will be amassed into a dataset in an attempt to train an AI model to tell the difference between a minor in a normal environment and an exploitative, unsafe situation. The software could, in theory, help law enforcement better automatically and rapidly pinpoint child sex abuse material (aka CSAM) in among thousands upon thousands of photographs under investigation, avoiding having human analysts inspect every single snap.
Rick Smith, founder and CEO of body camera and Taser maker Axon, believes he has a way to reduce the risk of school children being shot by people with guns.
No, it doesn't involve reducing access to guns, which Smith dismisses as politically unworkable in the US. Nor does it involve relocating to any of the many countries where school shootings seldom, if ever, occur and – coincidentally – where there are laws that limit access to guns.
Here's a hint – his answer involves Axon.
A critical flaw in the LTE firmware of the fourth-largest smartphone chip biz in the world could be exploited over the air to block people's communications and deny services.
The vulnerability in the baseband – or radio modem – of UNISOC's chipset was found by folks at Check Point Research who were looking for ways the silicon could be used to remotely attack devices. It turns out the flaw doesn't just apply to lower-end smartphones but some smart TVs, too.
Check Point found attackers could transmit a specially designed radio packet to a nearby device to crash the firmware, ending that equipment's cellular connectivity, at least, presumably until it's rebooted. This would be achieved by broadcasting non-access stratum (NAS) messages over the air that when picked up and processed by UNISOC's firmware would end in a heap memory overwrite.
A crew using malware that performs cryptomining and clipboard-hacking operations have made off with at least $1.7 million in stolen cryptocurrency.
The malware, dubbed Trojan.Clipminer, leverages the compute power of compromised systems to mine for cryptocurrency as well as identify crypto-wallet addresses in clipboard text and replace it to redirect transactions, according to researchers with Symantec's Threat Intelligence Team.
The first samples of the Windows malware appeared in January 2021 and began to accelerate in their spread the following month, the Symantec researchers wrote in a blog post this week. They also observed that there are several design similarities between Clipminer and KryptoCibule – another cryptomining trojan that, a few months before Clipminer hit the scene, was detected and written about by ESET analysts.
Healthcare organizations, already an attractive target for ransomware given the highly sensitive data they hold, saw such attacks almost double between 2020 and 2021, according to a survey released this week by Sophos.
The outfit's team also found that while polled healthcare orgs are quite likely to pay ransoms, they rarely get all of their data returned if they do so. In addition, 78 percent of organizations are signing up for cyber insurance in hopes of reducing their financial risks, and 97 percent of the time the insurance company paid some or all of the ransomware-related costs.
However, while insurance companies pay out in almost every case and are fueling an improvement in cyber defenses, healthcare organizations – as with other industries – are finding it increasingly difficult to get insured in the first place.
Something for the Weekend We're standing still. The suspense is unbearable. One of us is going to crack.
On the large projector screen is a message: "The application is not responding." Facing the large projector screen is a roomful of startup dudes. Staring back at them, and situated just underneath the projector screen, is the flailing, forlorn presenter himself: me.
"It's never done that before," I lie as I eventually give up frantically tapping the keyboard and jabbing the trackpad as if I was playing whack-a-mole.
On Call Welcome back to On Call wherein a Register reader accidentally improved an airline's productivity by the simple virtue of knowing their stuff.
"Eric" (for that is not his name) spent much of his career working on systems in the airline industry. "Since airlines were the first commercial organisations to use large-scale transaction processing systems, many of their features date back to the late 1950s," he said.
"Some of them were surprisingly sophisticated for the period. In the IBM mainframe world, each user terminal could support up to five simultaneous sessions which were designated by the letters A through E."
Disgraced tech giant Toshiba has revealed it has received ten buyout proposals, and devised a plan to grow its digital businesses.
"As of today, the Company has received eight initial proposals for privatization, as well as two initial proposals for a strategic capital and business alliance with the Company remaining listed from Potential Partners," the Japanese conglomerate stated in a canned statement [PDF] dated June 2.
Toshiba didn't say who submitted the buyout proposals, but Bain Capital is known to have expressed an interest. Reports have indicated CVC Capital Partners and KKR might be in the running too. It's worth noting that CVC has sought this opportunity before.
Amazon.com has decided to end its Kindle digital book business in China.
A statement posted to the Kindle China WeChat account states that Amazon has already stopped sending new Kindle devices to resellers and will cease operations of the Kindle China e-bookstore on June 30, 2023. The Kindle app will last another year, allowing users to download previously purchased e-books. But after June 30, 2024, Kindle devices in China won’t be able to access content.
An accompanying FAQ doesn’t offer a reason for the decision, but an Amazon spokesperson told Reuters “We periodically evaluate our offerings and make adjustments, wherever we operate.”
The Register - Independent news and views for the tech community. Part of Situation Publishing
Biting the hand that feeds IT © 1998–2022