Cybersecurity researchers have revealed a new malware campaign that uses the PureCrypter malware loader to spread the DarkVision RAT, a commodity remote access Trojan (RAT).
The RAT payload is delivered by a multi-step method in this operation, which Zscaler ThreatLabz discovered in July 2024.
“DarkVision RAT communicates with its command-and-control (C2) server using a custom network protocol via sockets,” security researcher Muhammed Irfan V A said in an analysis.
“DarkVision RAT supports a wide range of commands and plugins that enable additional capabilities such as keylogging, remote access, password theft, audio recording, and screen captures.”
An off-the-shelf malware loader that can be purchased on a subscription basis, PureCrypter was first made public in 2022 and gives users the opportunity to spread ransomware, RATs, and information thieves.
Although it prepares the way for a.NET program that is in charge of decrypting and starting the open-source Doughnut loader, it is unclear exactly which initial access vector was used to distribute PureCrypter and, consequently, DarkVision RAT.
The Doughnut loader then starts PureCrypter, which unpacks and loads DarkVision after establishing persistence and adding the RAT’s file locations and process names to the list of exclusions in Microsoft Defender Antivirus.
Using the ITaskService COM interface, autorun keys, and a batch script with a command to run the RAT executable, together with a shortcut to the batch script in the Windows startup folder, persistence can be accomplished by setting up scheduled tasks.
A Clearnet site advertises the RAT, which first appeared in 2020, for as little as $60 for a one-time payment. This makes it an alluring option for threat actors and would-be cybercriminals who lack technical expertise and want to launch their own assaults.
The RAT, which was created in C++ and assembly (also known as ASM) for “optimal performance,” has a wide range of features that enable, among other things, process injection, remote shelling, reverse proxying, clipboard manipulation, keylogging, screenshot taking, and cookie and password recovery from web browsers.
To further enhance its functionality and provide the operators total control over the compromised Windows host, it is also made to collect system data and receive more plugins delivered from a C2 server.
“DarkVision RAT represents a potent and versatile tool for cybercriminals, offering a wide array of malicious capabilities, from keylogging and screen capture to password theft and remote execution,” Zscaler said.
“This versatility, combined with its low cost and availability on hack forums and their website, has made DarkVision RAT increasingly popular among attackers.”
The results are in line with the appearance of a new malware loader called Pronsis Loader, which has been used in campaigns to distribute Latrodectus and Lumma Stealer. The first iteration was released in November 2023.
“Pronsis Loader is a newly identified malware that bears similarities to the D3F@ck Loader,” Trustwave researchers Cris Tomboc and King Orande said. “Both utilize JPHP-compiled executables, making them easily interchangeable.”
“However, one area they diverge in is their installer approaches: while D3F@ck Loader uses Inno Setup Installer, Pronsis Loader leverages Nullsoft Scriptable Install System (NSIS).”
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: CIO News LinkedIn Account | CIO News Facebook | CIO News Youtube | CIO News Twitter
About us:
CIO News is the premier platform dedicated to delivering the latest news, updates, and insights from the CIO industry. As a trusted source in the technology and IT sector, we provide a comprehensive resource for executives and professionals seeking to stay informed and ahead of the curve. With a focus on cutting-edge developments and trends, CIO News serves as your go-to destination for staying abreast of the rapidly evolving landscape of technology and IT. Founded in June 2020, CIO News has rapidly evolved with ambitious growth plans to expand globally, targeting markets in the Middle East & Africa, ASEAN, USA, and the UK.
CIO News is a proprietary of Mercadeo Multiventures Pvt Ltd.
