A new malware-as-a-service called CrystalRAT is being developed on Telegram, which offers remote access, data theft, key logging, and clipboard hijacking capabilities.
The malware appeared in January with a tiered subscription model. Besides the Telegram channel, MaaS has also been promoted on YouTube, using a dedicated marketing channel that showcases its capabilities.
Kaspersky researchers said in today’s report that the malware bears strong similarities to WebRAT (Salat Stealer), including the same panel design, Go-based code, and the same bot-based sales program.
CrystalX also includes a wide range of prankware features designed to annoy the user or disrupt their work. Despite its “fun” side, CrystalX offers a large set of data theft capabilities.
Source: Kaspersky
Details of CrystalX RAT
Kaspersky says the anti-malware program offers an easy-to-use control panel and an automated builder tool that supports customization options, including geoblocking, executable customization, and anti-analysis features (anti-debugging, VM detection, proxy detection, etc.).
The generated payloads are compressed with zlib and encrypted with the ChaCha20 symmetric stream cipher for security.
The malware connects to Command-and-control (C2) via WebSocket and sends information about the host for profiling and infection tracking.
The CrystalX infostealer component, which Kaspersky found to be temporarily disabled in preparation for an upgrade, targets Chromium-based browsers with the ChromeElevator tool, Yandex, and Opera. Additionally, the tool collects data from desktop applications such as Steam, Discord, and Telegram.
The remote access module can be used to execute commands via CMD, upload/download files, browse the file system, and control the machine in real-time via the built-in VNC.
The malware also exhibits spyware-like behavior, as it can capture video and audio from a microphone.
Finally, CrystalX includes a keylogger that streams keystrokes in real time to C2, and a patching tool that uses regular expressions to find wallet addresses on the clipboard and replace them with the attacker’s.
Source: Kaspersky
Putting “fun” in the package
What sets CrystalX apart from the crowded MaS space is its rich set of prankware features.
According to Kaspersky, the malware can do the following on infected devices:
- change the desktop wallpaper
- change the orientation of the display to various angles
- force shutdown the system
- redraw the mouse buttons
- disable input devices (keyboard/mouse/monitor)
- show fake notifications
- change the position of the cursor on the screen
- hide various components (desktop icons, taskbar, Task Manager, and Command Prompt executable)
- Provide a chat window between the attacker and the victim
While the above features don’t improve the monetization capabilities of hackers, they certainly differentiate the product, and can entice script kids and low-skilled/entry-level scare actors to get a subscription.
Another reason for prank features may be the ability to trick the victim, or even disrupt, while data theft modules work in the background.
To reduce the risk of malware infection, users are advised to exercise caution when interacting with online content and avoid downloading software or media from untrusted or illegal sources.
Automatic logging proves that the path exists. BAS proves that your controls are stopping you. Many teams run without each other.
This white paper outlines six areas of validation, indicates where coverage ends, and provides clinicians with three diagnostic questions for any screening tool.
