In the rapidly evolving world of cybercrime, new threats seem to surface daily. Among the latest is the DarkVision RAT, a remote access trojan that has cyber defenders on high alert. Discovered as part of a malware campaign in July 2024, DarkVision RAT is delivered using a malware loader known as PureCrypter. What makes this combination particularly dangerous is not only the malware's broad capabilities but also how accessible it is—both in terms of price and ease of use.
What Is DarkVision RAT?
DarkVision RAT (Remote Access Trojan) is a malicious tool designed to give attackers complete control over a victim’s computer, silently operating in the background while executing a wide range of malicious activities. The RAT can exfiltrate data, take control of a system remotely, and manipulate it without the user’s knowledge.
The malware establishes communication with its command-and-control (C2) server using custom protocols, allowing attackers to continuously issue new commands. From there, the RAT can capture keystrokes (keylogging), record audio, capture screenshots, steal passwords, and even hijack system resources. All of this makes it a highly potent tool in the hands of cybercriminals.
How is DarkVision Delivered?
The DarkVision RAT is delivered through a multi-stage process. It begins with PureCrypter, a malware loader that has been around since 2022. PureCrypter has gained popularity for its effectiveness in delivering various types of malware, including ransomware, information stealers, and RATs like DarkVision.
While the exact entry point for the PureCrypter loader in this campaign remains unclear, what is known is how it functions. After infiltrating a target, PureCrypter decrypts and launches a .NET executable. This executable then runs an open-source tool called Donut loader, which in turn launches PureCrypter. From here, DarkVision is unpacked and loaded onto the system, setting up the RAT for action.
DarkVision’s Key Capabilities
What makes DarkVision particularly dangerous is the sheer range of malicious functions it can perform. Below are some of the key capabilities:
Keylogging: Records everything the user types, capturing sensitive information like passwords, credit card numbers, and personal messages.
Remote Control: The attacker can fully control the infected machine, manipulating files, processes, and settings.
Audio and Screen Capture: It can record audio through a computer’s microphone and capture screenshots, giving the attacker a live view of what’s happening on the system.
Password Theft: DarkVision can recover stored credentials, including cookies and passwords from web browsers, making it easy to hijack accounts.
System Information Gathering: It collects details about the victim's system, allowing attackers to tailor their approach for further exploitation.
Custom Plugins: DarkVision can be extended with additional plugins sent from its C2 server, enabling even more features to enhance its capabilities as needed.
Why DarkVision is Gaining Traction
One of the main reasons DarkVision RAT has garnered attention is its accessibility. Selling for as little as $60 on clearnet sites, the malware offers a robust feature set at a very low price. This makes it appealing to a wide range of cybercriminals, especially those with limited technical skills or financial resources.
For these attackers, the combination of DarkVision RAT’s power and its ease of deployment through PureCrypter makes it a low-risk, high-reward proposition. Once inside a victim’s system, the RAT is capable of establishing persistence by creating scheduled tasks, autorun keys, and adding itself to antivirus exclusion lists—ensuring it stays hidden and functional for extended periods.
DarkVision RAT’s Rise Comes with New Threats
In addition to the DarkVision RAT, a new malware loader known as Pronsis Loader has also been identified, adding to the complexity of the current cyber threat landscape. Like PureCrypter, Pronsis Loader is being used to deliver other malware such as Lumma Stealer and Latrodectus.
Pronsis Loader bears some similarities to another known threat, the D3F@ck Loader, with both using JPHP-compiled executables. However, they diverge in how they install malware—Pronsis uses the Nullsoft Scriptable Install System (NSIS), while D3F@ck relies on the Inno Setup Installer. These new loaders add more fuel to an already active and dangerous cybercriminal ecosystem.
Protecting Against DarkVision RAT and Similar Threats
With the rise of highly accessible and effective malware like DarkVision RAT, defending against cyber threats requires a multi-layered approach. Here’s how organizations and individuals can better protect themselves:
Regular Updates and Patch Management: Ensure that all software, from operating systems to applications, is up to date. Patching vulnerabilities closes the doors that malware like PureCrypter uses to get in.
Endpoint Protection: Utilize robust endpoint protection tools like antivirus, anti-malware, and EDR (Endpoint Detection and Response) to detect and neutralize threats like DarkVision RAT before they can cause damage.
Email and Phishing Security: Most malware campaigns start with phishing emails. Implement strong email security measures and train users to recognize and avoid phishing attempts.
Access Control: Limit administrative privileges to essential personnel only, and restrict users from installing unauthorized software. This reduces the chance of malware gaining elevated access.
Network Monitoring: Employ intrusion detection and prevention systems (IDS/IPS) to spot unusual network activity, such as communication with C2 servers, and block it.
Data Backup: Regularly back up important data and store it securely, preferably offline, to safeguard against data loss from malware attacks.
Cybersecurity Training: Ensure that employees are trained in cybersecurity best practices. Educating your team is one of the most effective ways to prevent human error, which is often the weak link in malware attacks.
Comments