SECURITY

Dark Crystal RAT Agent Deep Dive

The Splunk Threat Research Team (STRT) analyzed and developed Splunk analytics for this RAT to help defenders identify signs of compromise within their networks. 

Remote Access Trojans (RATs) are one of the most common tools used by threat actors as a malicious payload to attack targeted hosts and steal information. One example is the Dark Crystal RAT (DCRat) that is capable of remote access, post exploitation and data exfiltration. 

DCRat is one of the underground commercial RAT tools used by several threat groups to attack networks and businesses (1) (2). This RAT has been identified in campaigns targeting Ukraine organizations as reported by CERT-UA. The payload is delivered by spear phishing emails in the first stages of the attacks.

For this blog, we look for DCRAT campaign samples that we can analyze and test in Splunk Attack Range Environment with installed R.E. tools like Dnspy and scripting tools (e.g. powershell, python, batch script) to analyze the malware behavior and extract TTPs that will help the STRT to generate dataset for detections development and testing.

Spear Phishing

Based on the CERT-UA initial threat report, the Dark Crystal RAT infection chain starts when victims are tricked into opening a malicious Microsoft Excel “.xls” office document containing macro code that will drop and execute a batch script named “c:\user\public\new.bat”. This script will execute an embedded Powershell script that downloads the second stage payload responsible for downloading and executing the actual DCRAT malware on the compromised host.

Figure 1.1 and 1.2 show the macro code and the content of the batch script which is a base64 encoded PowerShell script downloader.

Figure 1.1

Figure 1.2

DCRat Analysis

This malware is a .NET compiled assembly that leverages multithreading to execute its malicious actions concurrently on a compromised host. As RAT malware, it has several capabilities to collect data, steal information or even execute post exploitation payload and plugins. 

Below are some notable behaviors of this RAT malware we found during our analysis. 

Initial Configuration

DCRat will decode and decompress its configuration data embedded in the binary. This configuration will dictate what mutex and DCRat features are enabled in this compiled DCRat malware. Figure 2 shows the decoded and decompressed value of its configuration data.

Figure 2

From Figure 2, we can see the mutex name of this malware sample, "DCR_MUTEX-PNY1ZVhO2iPJoDxTnEBp", and the set of features enabled include “screenshot”, “telegram”, “clipboard”, “sysinfo”. 

Afterwards, it will decompress and decode another set of encoded data which is 2 url links that will be used for download and beaconing communication to its C2. If initial beaconing and C2 does not send back data, it will terminate its process. Figure 2.1 and 2.2 are the screenshots of the decoded URL link and how it forms its beacon traffic.

Figure 2.1


Figure 2.2

Figure 2.3 shows the simple Directed Acyclic Graph (DAG) how this DCRAT malware variant decodes and decompresses its configuration data. The graph shows the use of the Base64 encoding algorithm and compression streams to hide its configuration data.

Figure 2.3

Persistence

DCRat is also capable of persisting on the compromised host leveraging three distinct techniques. Its methods include: creating a scheduled task, creating a Registry Run Key and creating a Winlogon Autostart Registry Key. Figures 3.1 and 3.2 show the persistence entry code.

Figure 3.1

Figure 3.2

W32tm Time Delay

DCRat will also drop a .bat file containing a script that runs the W32tm “stripchart” command on the compromised host. This command is used as a delay tactic for its execution and beaconing. 

This command is not commonly used by a normal user in a production network, that's why it can be a good pivot alert for possible DCRAT malware executions.

Figure 4 shows the code of the w32tm stripchart command that will be run with “runas” command.

Figure 4

Data Collection

DCRat collects sensitive information from compromised hosts that will be sent to its Command & Control server. Figure 5 shows the code that collects data such as:

 

  • server type
  • Name, username, isadmin
  • GPU info, CPU info, webcam and much more

 

 

Figure 5

 

It will also collect information related to common third party applications like Steam user, Steam userid, Telegram path, Discord path, webcam and microphones. Figure 6 shows the code that parses that information if the software is installed on the host.

Figure 6

Figure 7 shows how DCRat collects the public IP address from the compromised host by accessing the IP web service named as “https[:]//ipinfo[.]io/json”.

Figure 7

Figure 7.1

Figure 8 shows the structure of the backdoor command where the hash was used to know what RAT function to execute. This is a good anti-analysis technique especially if the C2 server was already down, because it is not easy to revert back the hash to its string command due to its hash algorithm.

Figure 8

To retrieve the backdoor command strings out of these hash values, the STRT did an experiment where we gathered and simulated the hashing algorithm for all the DCRat command strings shared by Mandiant in their DCRat blog for an old DCRat variant malware. 

With this approach, we managed to recover some of the backdoor command strings that are shown in Figure 9.

Figure 9

Below is the short table of commands that we managed to recover with a short description of what they try to do. These commands can be executed on the server side of the DCRAT agent to perform specific DCRAT functions.

Command

Hashes

Description

logoff

334551U

Logoff the host machine

ddos

160478U

Send TCP post and UDP packet on chosen ip address

fm_zip

18691U

Build zip file and transfer it to its C2

browseurl

119627U

Open url link using iexplorer.exe or explorer.exe

restart

134266U

Restart the host machine

forkbomb

225809U

Execute several “notepad.exe & pause” command

fm_opendir

204675U

List directory files and content

fm_rename

290226U

Rename or move files

shutdown

281864U

Shutdown the host machine

fm_unzip

687473U

Unzip files in a directory path

taskkill

343584U

Terminate a process

keyboardrecorder

419613U

Send keystroke

taskstart

526922U

Run a process

fm_delete

516557U

Delete files recursively in a directory path

fm_drives

549717U

List all drives

shell

677710U

Run cmd shell command

msgbox

872468U

Display msgbox

deleteall

750724U

Delete all files in all mounted drives

clipboard

788583U

Get clipboard text

uninstall

859704U

Delete its client component

fm_newfolder

909989U

Create directory

 

Other capabilities we identified that are not described in detail includes the following:  

  • Download files from its C2 server
  • Get text clipboard
  • Download file from its C2 server and execute it
  • Compile and execute payloads either (C#, VB, bat, powershell) 
  • Read a file 
  • Kill process by process id 
  • Get screenshot and mouse status 
  • Resume or suspend thread by process id 
  • List processes 
  • decode and load base64 plugin 

Detections

The following are the detections produced from the analysis of this threat, you can find them at our github repository or at research.splunk.com

Windows System LogOff Command Line

The following analytic identifies the Windows command line for logging off a Windows host machine using shutdown.exe windows application. 

Windows System Reboot Command Line

The following analytic identifies the Windows command line for rebooting a Windows host machine using shutdown.exe windows application.

Windows System Shutdown Command Line

The following analytic identifies the Windows command line that executes shutdown on a Windows host machine using shutdown.exe windows application.

Windows Command Shell DCRat ForkBomb Payload

The following analytic identifies DCRat "forkbomb" payload feature. This technique was seen in Dark Crystal RAT backdoor capabilities where it executes several cmd child processes referencing "notepad.exe & pause".

Windows System Time Discovery W32tm Delay

The following analytic identifies DCRat delay time tactics using w32tm. This technique was seen in DCRat malware where the use of stripchart function of w32tm.exe application is observed  delaying the execution of its payload for c2 communication, beaconing and execution

Windows Gather Victim Host Information Camera

The following analytic detects a powershell script that enumerates the camera mounted to the targeted host.


Windows Ingress Tool Transfer Using Explorer

The following analytic detects an explorer.exe with a possible url link process command line on it.

Detections Summary

 

Type 

Name

Technique ID

Tactic

Description

TTP

Any Powershell DownloadFile

T1059.001

Execution

This analytic identifies the use of PowerShell downloading a file using the DownloadFile method.

TTP

Executables Or Script Creation In Suspicious Path

T1036

Defense Evasion

This analytic will identify suspicious executable or scripts (known file extensions) in a list of suspicious file paths in Windows.

Hunting

Malicious PowerShell Process - Encoded Command

T1027

Defense Evasion

This analytic identifies the use of the EncodedCommand PowerShell parameter. 

TTP

Malicious PowerShell Process - Execution Policy Bypass

T1059.001

Execution

This search looks for PowerShell processes started with parameters used to bypass the local execution policy for scripts.

TTP

Office Document Executing Macro Code

T1566.001

Initial Access

This detection was designed to identify suspicious office documents using macro code.

TTP

Office Product Spawn CMD Process

T1218.005

Defense Evasion

This search is to detect a suspicious office product process that spawns a cmd child process.

TTP

Suspicious Process File Path

T1543

Persistence, Privilege Escalation

This analytic will detect a suspicious process running in a file path where a process is not commonly seen and is most commonly used by malicious software.

Hunting

Windows Gather Victim Network Info Through Ip Check Web Services

T1590.005

Reconnaissance

This analytic identifies a process that attempts to connect to a known IP web service.

Anomaly

Windows High File Deletion Frequency

T1485

Impact

This search looks for high frequency of file deletion relative to process name and process id.

Hunting

CMD Carry Out String Command Parameter

T1059.003

Execution

This analytic identifies command-line arguments where cmd.exe /c is used to execute a program. cmd /c is used to run commands in MS-DOS and terminate after command or process completion.

TTP

Scheduled Task Deleted Or Created via CMD

T1053.005

Execution, Persistence, Privilege Escalation

This analytic identifies the creation or deletion of a scheduled task using schtasks.exe with flags - create or delete being passed on the command-line.

Anomaly

Suspicious Scheduled Task from Public Directory

T1053.005

Execution, Persistence, Privilege Escalation

This detection identifies Scheduled Tasks registering (creating a new task) a binary or script to run from a public directory which includes users\public, \programdata\ and \windows\temp.

Hunting

WinEvent Windows Task Scheduler Event Action Started

T1053.005

Execution, Persistence, Privilege Escalation

This hunting analytic assists with identifying suspicious tasks that have been registered and run in Windows using EventID 200 (action run) and 201 (action completed).

Anomaly

Windows System LogOff Commandline (New)

T1529

Impact

This analytic identifies the Windows command line to logoff a Windows host machine. 

Anomaly

Windows System Reboot CommandLine (New)

T1529

Impact

This analytic identifies the Windows command line to reboot a Windows host machine.

 

Windows System Shutdown CommandLine (New)

T1529

Impact

This analytic identifies the Windows command line to shutdown a Windows host machine. 

TTP

Windows Command Shell DCRat ForkBomb Payload (New) 

T1059.003

Execution

This analytic identifies DCRat "forkbomb" payload feature. This technique was seen in Dark Crystal RAT backdoor capabilities where it will execute several cmd child processes executing "notepad.exe & pause". 

Anomaly

Windows System Time Discovery W32tm Delay (new)

T1124

Discovery

This analytic identifies DCRat delay time tactics using w32tm.

Anomaly

Windows Gather Victim Host Information Camera (new)

T1592.001

Reconnaissance

This analytic detects a powershell script that enumerates the camera mounted to the targeted host.

Anomaly

Windows Ingress Tool Transfer Using Explorer (New)

T1105

Command and Control

This analytic detects an explorer.exe with a possible url link process command line on it.

IOC

File: Алгоритм_LegalAid.xlsm
Sha256: 2b2438aa8da7c23e714f2d7a196d82ed52914c9353ef9fded01448216bd858ff

File: dcrat loader
Sha256: 7cffb54cb07db2f4104b8764ff15799111d06ea81d9c74c09134c61341d74202

File: dcrat
Sha256: 96444376dfd650f8c994116f90be1cacbd337ebdcbafe922910645cb7549ace2

 

Automate with SOAR Playbooks 

All of the previously listed detections create entries in the risk index by default, and can be used seamlessly with risk notables and the Risk Notable Playbook Pack. The community Splunk SOAR playbooks below can be used in conjunction with some of the previously described analytics:

Playbook

Description

Internal Host SSH Investigate

Investigate an internal *nix host using SSH. This pushes a bash script to the endpoint and runs it, collecting generic information about the processes, user activity and network activity. This includes the process list, login history, cron jobs and open sockets. The results are zipped up in .csv files and added to the vault for an analyst to review.

Internal Host WinRM Investigate

Performs a general investigation on key aspects of a windows device using windows remote management. Important files related to the endpoint are generated, bundled into a zip, and copied to the container vault.

Delete Detected Files

This playbook acts upon events where a file has been determined to be malicious (ie webshells being dropped on an end host). Before deleting the file, we run a “more” command on the file in question to extract its contents. We then run a delete on the file in question.

Conclusion

As shown in this blog, DCRat or Dark Crystal Remote Administration Tool is a powerful and versatile command and control malware, this type of crimeware which is now available for a low price in different underground forums, provides would be criminals with low cost effective tools that can allow them to perform exploitation and post exploitation techniques only found in high cost commercial tools or highly skilled actors. 

The criminal underground is constantly developing new tools available for purchase as cybercrime has proven to be profitable for many groups. These tools lower the bar for those intending to enter the cybercrime scene, increasing the pool of options and number of criminal groups and malicious campaigns. 

Splunk Threat Research Team will continue researching and analyzing these malicious payloads and provide the community with tools to defend against these threats. For all our tools and security content please visit research.splunk.com.

Learn More

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections available via push update. 

For a full list of security content, check out the release notes on Splunk Docs.

Feedback

Any feedback or requests? Feel free to put in an issue on GitHub and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.


Contributors

We would like to thank the following for their contributions to this post:

 

  • Teoderick Contreras
  • Mauricio Velazco 
  • Michael Haag
  • Rod Soto
  • Lou Stella
  • Jose Hernandez
  • Patrick Barreiss
  • Bhavin Patel
  • Eric McGinnis

 

 

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.


Read more Splunk Security Content