Malware / Cybercrime
Cybersecurity researchers have uncovered a new malware campaign utilizing a malware loader called PureCrypter to distribute a remote access trojan (RAT) named DarkVision RAT.
Zscaler ThreatLabz observed this activity in July 2024, which involves a multi-stage process to deliver the RAT payload.
“DarkVision RAT communicates with its command-and-control (C2) server using a custom network protocol via sockets,” explained security researcher Muhammed Irfan V A in a recent analysis.
The RAT offers a wide range of commands and plugins that enable capabilities like keylogging, remote access, password theft, audio recording, and screen captures.
PureCrypter, first revealed in 2022, is a malware loader sold on a subscription basis, enabling the distribution of information stealers, RATs, and ransomware.
The initial access vector for PureCrypter and DarkVision RAT is not entirely clear, but it involves a .NET executable that decrypts and launches the open-source Donut loader.
DarkVision RAT offers various features like process injection, remote shell, keylogging, screenshot capture, and recovery of passwords and cookies from web browsers.
DarkVision RAT, available for as low as $60, is popular among cybercriminals due to its versatility and malicious capabilities.
Developed in C++ and assembly, the RAT allows for remote execution, keylogging, screen capture, password theft, and more.
It can gather system information and receive additional plugins from a C2 server, giving operators complete control over infected Windows systems.
Zscaler notes that the RAT’s affordability and availability on hack forums have contributed to its increasing popularity among attackers.