Select Page

According to researchers at BlackBerry, a budget-friendly and actively under development remote access trojan (RAT) is being sold on underground forums for about $7 for a two-month subscription. A bargain price indeed.

The ridiculously low price tag might result from only being worked by a sole individual.

This is the opposite of other custom malware created and distributed by sophisticated crime rings. 

Despite this fact, DCRat includes espionage and data theft features, as well as DDOS attacks, and dynamic code execution in several different languages

So this is serious trouble for all business owners around the world, no matter the size.


DCRat: Cheapest RAT (Remote Access Trojan) in the Market

As we initially mentioned, this backdoor Windows malware dubbed DCRat (sometimes DarkCrystal RAT) was written in .NET (its administrator tool is written in JPHP) and it was first released in 2018, then redesigned and relaunched the following year. 

The 3.0 version shipped on May 30, 2020, while the current 4.0 version launched nearly a year later on March 18, 2021. All is done by one developer that often goes by the name of  boldenis44, crystalcoder, and Кодер (Coder), who works daily on improvements.

DCRat works through a modular structure, giving affiliates the ability to develop their plugins using a dedicated integrated development environment (IDE) called DCRat Studio. 

But this is not the most impressive part of DCRat. Bad actors deploy the malware inside a network once they’ve broken in to exploit vulnerabilities or to obtain/guess login credentials.

 If this wasn’t scary enough, it’s known that DCRat also supports surveillance and reconnaissance features, capturing screenshots, recording keystrokes, and stealing content from the clipboard and web browsers.


Blackberry security researchers also noted it has a kill switch to render all instances of the administrator and also produces large-and-slow executables. 

“If the subscription validation checks complete and the kill switch didn’t flip, then the malware subscriber can use the administrator tool to communicate with the command-and-control server, configure builds of the client executable, and even submit bug reports to the DCRat author.  And the entire bundle, along with plugins, plugin development framework, and other tools are hosted on crystalfiles[.]ru.”


All of this information points out that the tool is being used to control compromised systems remotely. And while this only activates if the subscription is paid, DCRat’s pricing, excluding promotional discounts, starts at 500 RUB ($5) for a two-month license, 2,200 RUB ($21) for a year, and 4,200 RUB ($40) for a lifetime subscription. 

This is just a fraction of other RATs being sold/distributed with a file commonly named 1ac770ea1c2b508fb3f74de6e65bc9c4[.]zip on underground forums (as lolz[.]guru).

Curiously enough, they announce updates on a Telegram channel with +3,000 subscribers.


DCRat Telegram

CryptoStealer, TelegramNotifier, and WindowsDefenderExcluder are just some of the plugins updated in recent weeks and therefore, announced through posts in the group.

A translated message from April 16 says: Some Fun features have been moved to the standard plugin. The weight of the build has slightly decreased. There should be no detects that go specifically to these functions.

BlackBerry’s analysts stated that “both the product’s low price, plus the author’s use of JPHP indicate a novice malware author who hasn’t yet figured out an appropriate pricing structure.”

However, we shouldn’t ignore DCRat. 


“Generally speaking, you get what you pay for, even in malware. If you pay a pittance for something, you would be wise to expect it to be less functional or poorly supported. 

But DCRat seems to break that rule in a deeply perplexing way.”


They concluded that the RAT is maintained daily, meaning the author (lone developer) is working on this project full-time and puts in “a lot of time and effort to please their customers.”


“This underscores the idea that it’s not just the Contis and REvils of the world that security practitioners have to worry about. 

Miscreants with too much time on their hands can often cause just as much hassle.”