Researchers have discovered DCRat, a Remote Access Trojan (RAT) that was initially developed in 2018 and has gone through significant changes since, being sold on a Russian cybercriminal forum. This sale of DCRat is notable for how cheap it is, going for only 500 RUB ($5) for a two-month license, 2,200 RUB ($21) for a year, and 4,200 RUB ($40) for a lifetime subscription.
DCRat supports many of the same functionalities as other RATs, including command execution, information stealing, keylogging, and more. The utility also includes a plugin library that subscribers to the system can download and use or create themselves to extend the functionality of the malware. Persistence of infected systems is achieved through either the use of the Registry Run key or a scheduled task. One interesting thing about DCRat is its killswitch. The C2 application for DCRat checks a specific public GitHub repository controlled by the author for a value in a file. If that file value is modified by the author, it will render all administrative panels of DCRat unusable, rendering the malware ineffective.
While DCRat contains similar functionality to other RATs, its cheap price and modularity will likely make it a favorite among threat actors.
It is recommended to maintain appropriate security endpoint controls, such as EDR, on all systems in an environment. Not only does this allow for preventative measures based on heuristics or behavior, it will also allow for detections due to logging and monitoring mechanisms. In order to achieve its goals, DCRat uses many commonly abused Windows processes or functionalities that can be monitored such as a persistence mechanism via Registry Run keys or scheduled tasks, host fingerprinting via WMI calls, and the disabling of Task Manager via the Registry. Binary Defense’s Managed Detection and Response service is an excellent asset to assist with this type of detection need.