Cybersecurity researchers have disclosed a new malware campaign that leverages a malware loader named PureCrypter to deliver a commodity remote access trojan (RAT) called DarkVision RAT.
The activity, observed by Zscaler ThreatLabz in July 2024, involves a multi-stage process to deliver the RAT payload.
“DarkVision RAT communicates with its command-and-control (C2) server using a custom network protocol via sockets,” security researcher Muhammed Irfan V A said in an analysis.
“DarkVision RAT supports a wide range of commands and plugins that enable additional capabilities such as keylogging, remote access, password theft, audio recording, and screen captures.”
PureCrypter, first publicly disclosed in 2022, is an off-the-shelf malware loader that’s available for sale on a subscription basis, offering customers the ability to distribute information stealers, RATs, and ransomware.
The exact initial access vector used to deliver PureCrypter and, by extension, DarkVision RAT is not exactly clear, although it paves the way for a .NET executable that’s responsible for decrypting and launching the open-source Donut loader.
The Donut loader subsequently proceeds to launch PureCrypter, which ultimately unpacks and loads DarkVision, while also setting up persistence and adding the file paths and process names used by the RAT to the Microsoft Defender Antivirus exclusions list.
Persistence is achieved by setting up scheduled tasks using the ITaskService COM interface, autorun keys, and creating a batch script that contains a command to execute the RAT executable and placing a shortcut to the batch script in the Windows startup folder.
The RAT, which initially surfaced in 2020, is advertised on a clearnet site for as little as $60 for a one-time payment, offering an attractive proposition for threat actors and aspiring cyber criminals with little technical know-how who are looking to mount their own attacks.
Developed in C++ and assembly (aka ASM) for “optimal performance,” the RAT comes packed with an extensive set of features that allow for process injection, remote shell, reverse proxy, clipboard manipulation, keylogging, screenshot capture, and cookie and password recovery from web browsers, among others.
It’s also designed to gather system information and receive additional plugins sent from a C2 server, augmenting its functionality further and granting the operators complete control over the infected Windows host.
“DarkVision RAT represents a potent and versatile tool for cybercriminals, offering a wide array of malicious capabilities, from keylogging and screen capture to password theft and remote execution,” Zscaler said.
“This versatility, combined with its low cost and availability on hack forums and their website, has made DarkVision RAT increasingly popular among attackers.”
The findings coincide with the emergence of a new malware loader dubbed Pronsis Loader that has been put to use in campaigns delivering Lumma Stealer and Latrodectus. The earliest version dates back to November 2023.
“Pronsis Loader is a newly identified malware that bears similarities to the D3F@ck Loader,” Trustwave researchers Cris Tomboc and King Orande said. “Both utilize JPHP-compiled executables, making them easily interchangeable.”
“However, one area they diverge in is their installer approaches: while D3F@ck Loader uses Inno Setup Installer, Pronsis Loader leverages Nullsoft Scriptable Install System (NSIS).”