New on the scene: DarkVision RAT
Recently, Deep Instinct’s Threat Research Team has identified a new and emerging, highly modular, malicious RAT entitled DarkVision RAT, which during our investigation we found is also being actively sold in a well-known cybercrime and hacking-related forum and also a dedicated sales website.
A relatively new member to the threat landscape, and possessing a wide range of plug-ins and various functionalities, including password harvesting, OS message prompts, encrypt/decrypt ability, DarkVision is capable of facilitating a wide array of malicious activities such as spying, fraud and even ransomware-like activities, to name just a few. However, for many, its emergence and proliferation among dwellers of “underground” forums is more interesting than what it can actually do. DarkVision is getting around in no small part by the business savvy of its creator and developer. Neatly packaged into a kit, the RAT is “attractively” priced at $40 USD and marketed for its nice set of features, cost-effectiveness, and quick deployment which can only take minutes to put into action. Just new on the scene, the RAT’s creator continues to make sales and improve his offering to meet market demand.
RATs (Remote Access Tools/Trojans) are a staple in the threat landscape, commonly used by malicious actors to gain and provide remote access to and monitoring of infected machines and to facilitate a host of malicious activities.
DarkVision RAT made its first “commercial offering” in mid-January, described as a "Remote Access Tool (RAT) for Windows 7/8/10 (32/64 bit) with a native core written in C++ and ASM, which makes it standalone and free from any third party dependencies (like .NET).”
The DarkVision RAT is offered as a simple, easy to use and user-friendly kit employing a modular plug-in architecture; It is described as a long-term project which includes “lifetime support” and free/discounted upgrades to future versions upon request. In addition to the forum offering, DarkVision’s author has also established a website intended to market the RAT.
Figure 1: DarkVision Forum Offering
Figure 2: DarkVision Website Offering
Screenshots and videos of various functionalities are also provided on both forum on website:
Shortly after its appearance on the forum, DarkVision started receiving positive feedback:
Figure 7: Forum user vouching for DarkVision
Figure 8: Forum user vouching for DarkVision
Following a short period of inactivity by the author, a user wondered if the author had been arrested by law enforcement:
Figure 9: Forum user wondering if the author has been "raided"
To which the author replied:
Figure 10: Author's response
The author also appears to be very responsive to requests and feedback, adding new features and functionality, such as an encrypter (a method to encrypt the payload in order to avoid its detection by security products) and hidden VNC/RDP functionality:
Figure 11: Forum users discussing possible encrypters for DarkVision
Figure 12: Author announcing DarkVision encrypter
Figure 13: Author explaining his motivation for creating the encrypter
Figure 14: Author discussing additional hidden VNC and RDP functionality
Hands-On with DarkVision
In addition to encountered samples of DarkVision (listed in IOC section below), Deep Instinct’s Threat Research Team managed to identify an operational security failure by either DarkVision’s author or one of his customers and get our hands on a version of the DarkVision kit.
While lacking the author’s latest developments (namely the RDP plugin and payload encrypter), the kit proved very interesting to analyze.
Our recovered kit contained an executable file that functions as both the RAT payload builder and control interface with its infected machines a set of 17 plugins .DLL files (32 and 64-bit version of each), each responsible for different functionalities. These plugins can be selectively delivered to the infected machines based on desired functionalities and are loaded by the RAT directly into memory, without being written to disk (with the exception of the Chat plugin).
Figure 15: DarkVision plugin manager
- System Control – Lock, reboot, or shutdown victim machine.
- Process Manager – List active processes, kill selected.
- Registry Editor – Edit victim machine' registry.
- File Explorer – File manager-like utility, manipulate files (copy, delete, move, etc.) on the victim machine, upload file to or download file from victim machine, view image previews/thumbnails, execute files, encrypt/decrypt files with AES 256 and the desired password (encrypted files are appended with a “.DVCRYPT” suffix and file headers replaced to “DVCR”). This type of functionality usually lies in the realm of ransomware.
Figure 16: Executable file encrypted by DarkVision
- Screen Capture – Capture victim user’s screen in intervals of up to 10 seconds. When this interval is set to 0 the victim’s screen is effectively “streamed” to the attacker.
- Message manager – Display a customizable operating system prompt and return the response (if the user clicked “OK” or “Cancel”, etc.).
- Webcam – Capture webcam video.
- Wallpaper – change the victim machine’s windows wallpaper.
- Keylogger (Live) – Logs and displays victim user’s current keystrokes and to which window they were made.
- Chat – Opens a chat window with the victim user.
- Send Mail – Send an Email from the infected machine.
- Dropper – Download a file from the internet to a desired location on the infected machine.
- Reverse Proxy – SOCKS4 Proxy functionality.
- Remote Shell – Remote CLI Shell to the infected machine, execute commands, etc.
- Microphone capture – Capture microphone audio.
- Password Recovery – Chrome and Firefox stored password harvester.
- Window List – List currently open operating system windows.
DarkVision refers to its payloads and infected machines as “servers”, possibly in order to avoid calling them “bots”, and possibly due to the fact that they have some server-like functionalities.
Although new to the scene and lacking several functionalities found in other such malicious tools (such as cookie harvesting and hidden VNC, both features which were requested from the author…), DarkVision appears to be gaining some popularity as an overall nicely featured, cost-effective (the kit is currently priced at $40) and very easy to use malicious RAT; capable of facilitating a wide array of malicious activities such as spying, fraud and even ransomware-like activities, to name just a few.
DarkVision is in active development and will likely continue to evolve and add additional features, functionalities, and abilities, its emergence offers an interesting glimpse into the emergence and proliferation of such tools.
DarkVision’s author is presumed to be a Swedish-speaking individual, as he is seen using a Swedish-language operating system in his demo videos, as well as operating from Swedish IP addresses.
Deep Instinct prevents DarkVision both statically (pre-execution) and dynamically with our behavioral analytics.
DarkVision Samples (sha256)
DarkVision Kit (sha256)
52e66bc19323536314fce12a2a3fa064b726bb71704a0d9f899d49892f265274 - dv_kit.zip # DarkVision Kit
ba59847f9f160987ee5d9ad57d5022895cece9bd4627d90f5eab35c2f29596ea - DARKVISIONENCRYPTED.EXE # Builder/control panel
447ccb93bcbc969e08ec726e1461c386668720d79d091bca889b5b5a129a352d - CHATPLUGIN32.DLL
7e1aa75831ab42fb27bd372c84e70816cee68e63c59ab66ad445e123cb4dad40 - CHATPLUGIN64.DLL
054f55d77f0250760ab3a12e63af89ba5958468215e18b522cd618363da938a1 - DROPPERPLUGIN32.DLL
83358d06da03686a452f03045219f8286d46ada3287b3a354229ae82dcbd3266 - DROPPERPLUGIN64.DLL
17ab5394041bf8230f816ea92638ec5e5515112132a8e649d4caa783d886cfdf - FILEPLUGIN32.DLL
7c43ad507d71361001464838d5a55a4753a4c8c0e9647de37e721a2d86fb5a86 - FILEPLUGIN64.DLL
3ec311c131d15a530dac35108f167ee926ef87e6cef618c6ba05d9eb239a4940 - LIVEKEYLOGGERPLUGIN32.DLL
0a3bdfe88cf7c38294a1ff2a497f3bcedb3feb8dc37fa0de7332865c348b7eb0 - LIVEKEYLOGGERPLUGIN64.DLL
a1396856c94b92cc78e9636b37ed3e998443699d6bb9f35e086bc87a5ccd0f67 - MESSAGEPLUGIN32.DLL
32eda28241805e739ecdf205f056948cd4bc0d421ccfb70e77d1027d94504587 - MESSAGEPLUGIN64.DLL
4a30c6c89f0d95bc647da438bb4783853167f997221b3ff91bda6816d4043c5a - MICROPHONECAPTUREPLUGIN32.DLL
8284d1613e68ccfd1f07b80161e38f9a96cf26f1229cd297ea1bd95809459bdd - MICROPHONECAPTUREPLUGIN64.DLL
24c3d64db7c499c6c60ae6bf406e25d6a70902cb7f2393b81555e3241aa7c43c - PASSWORDRECOVERYPLUGIN32.DLL
d9f5fe4cd4885a31c288e89447db5d77e846db5b714bb6c1a32e8692e9dd6acd - PASSWORDRECOVERYPLUGIN64.DLL
5a882cb5120fc2720df4c26a02feafcac4246c7937c7dcb6046a1f185e39a2eb - PROCESSPLUGIN32.DLL
230f27eb5652c0a169740a44375221bcda1fae8c3703e354bb756189fa0b8a07 - PROCESSPLUGIN64.DLL
b0faa36c459996787f5aadb327003497444c375e25d0e6a07bc7264608f6b18a - REGISTRYPLUGIN32.DLL
434733d083f2648719bc02e7c8b0bf300007619f20876cb9161e88f5a13d47f2 - REGISTRYPLUGIN64.DLL
7c7264939bd4e249e559f507027c1b1eb92541803e29434238165423c664fa8a - REMOTESHELLPLUGIN32.DLL
572a2d0e60147163deb9bbada3ddd7fe414096fc1b14f51bd6d17a0fc34e7131 - REMOTESHELLPLUGIN64.DLL
531ed45fca9530ae8d1b56b40b784c8d238bf739ea1c7d5779a7dc155248f47b - SCREENCAPTUREPLUGIN32.DLL
ea97e8b77b654598a46a12f6f80ace614cd0cc0b6e2060e81ca2c76ec1f9e2e8 - SCREENCAPTUREPLUGIN64.DLL
b55075d58564ce37324e5f4c746839e35293ac60fed35f345163b77944b0ed8d - SENDMAILPLUGIN32.DLL
23a2e7637acc101bf40ddc953152d7302342e3ca480353a84f6fee5e23155519 - SENDMAILPLUGIN64.DLL
9f2bb6a03ce289a2b6b10950df6ccf80ef3f25dfc2a8c0c9fa5efb3b76e1c167 - SOCKSRELAYPLUGIN32.DLL
1868425310156eafad6074aab9b3bff4c681615a03914f7b970d9e7bc476bbb0 - SOCKSRELAYPLUGIN64.DLL
99e316f57528b47af726ff2cd9a33f6c950c4c7f6b88174d491510eb44047132 - SYSTEMCONTROLPLUGIN32.DLL
39d798c7b1fa8a57dba656682d2c91beb946e10c277ad12e2b08a7b7c1d88a8c - SYSTEMCONTROLPLUGIN64.DLL
b1d5be14b2011f0628dcdd686183f2a2363febdac7e14f23eb51ffd7238b9ba2 - WALLPAPERPLUGIN32.DLL
ed6338943d6237d422e4c54ad3e33040140de6800717831c071de1a37fdf1fe9 - WALLPAPERPLUGIN64.DLL
9ad437d76f08dcb1ce86da07de067735d5b9c657c91ffb13972addce1d50cade - WEBCAMPLUGIN32.DLL
eb12c86b21b337b64f99ad7f7375bc4bbb05a7ba6b5af605ace55546af9db222 - WEBCAMPLUGIN64.DLL
96b4836f4e0e5293833e30db86660e5e45268f4a2072fbbeea8003b684756d45 - WINDOWPLUGIN32.DLL
81a857d256dbd90322fa437e8045e2e2173fce46ef05cf83df9b8fe8f62bf74c - WINDOWPLUGIN64.DLL
220.127.116.11:5555 # Swedish IP
18.104.22.168:5555 # Swedish IP