October 15, 2024 at 11:54AM
A new malware campaign, utilizing the PureCrypter loader, delivers the DarkVision RAT, enabling capabilities like keylogging and remote access. Disclosed by Zscaler ThreatLabz, the multi-stage process involves a .NET executable and persistence features. DarkVision RAT is affordable, making it appealing to cybercriminals seeking versatile malicious tools.
### Meeting Takeaways – Cybersecurity Report on DarkVision RAT
**Date:** October 15, 2024
**Presenter:** Ravie Lakshmanan
**Key Points:**
1. **New Malware Campaign**:
– A recent malware campaign utilizes the loader **PureCrypter** to deploy the **DarkVision RAT**.
2. **Delivery Mechanism**:
– Observed by **Zscaler ThreatLabz** in July 2024, the malware follows a **multi-stage delivery process** to infect systems.
3. **DarkVision RAT Features**:
– Communicates via a custom network protocol.
– Capable of executing various commands including:
– Keylogging
– Remote access
– Password theft
– Audio recording
– Screen captures
4. **PureCrypter Details**:
– Disclosed in 2022.
– Available for subscription-based purchase, minimal technical expertise required to utilize.
– Facilitates the distribution of various malware types including information stealers and ransomware.
5. **Initial Access and Execution**:
– The precise method for PureCrypter’s initial access remains unclear.
– Utilizes a .NET executable which decrypts and launches the **Donut loader**.
– Donut loader activates PureCrypter, which then unpacks and executes DarkVision.
6. **Persistence Mechanisms**:
– Employs **scheduled tasks**, **autorun keys**, and a **batch script** to ensure RAT persistence on the infected system.
– Adds specific file paths and process names to Microsoft Defender Antivirus exclusions.
7. **Popularity Among Cybercriminals**:
– DarkVision RAT is marketed for around **$60**, appealing to less technically-skilled attackers.
– Offers advanced capabilities for remote control, information theft, and system exploitation.
8. **Overall Assessment**:
– Described as a **potent tool for cybercriminals**, combining versatility and low cost, which contributes to its increasing popularity in the cybercrime community.
For further insights, feel free to connect via **Twitter** and **LinkedIn** for continuous updates.