DarkVision RAT

Oct. 11, 2024, 8:10 a.m.

Description

DarkVision RAT is a customizable remote access trojan that first appeared in 2020, offered on Hack Forums for $60. Written in C/C++ and assembly, it offers features like keylogging, screenshots, file manipulation, process injection, remote code execution, and password theft. The analysis reveals a multi-stage attack chain using PureCrypter as a loader. DarkVision RAT employs various evasion and privilege escalation techniques, including DLL hijacking and process injection. It communicates with its C2 server using a custom protocol and supports multiple plugins for additional capabilities. The RAT's affordability and extensive feature set make it accessible to low-skilled cybercriminals, posing a significant threat.

External References

https://www.zscaler.com/blogs/security-research/technical-analysis-darkvision-rat
https://otx.alienvault.com/pulse/6707fb55cc1b64564533c615
Tags
purecrypter
c2 communication
multi-stage attack
2024-10-10
remote access trojan
darkvision rat

Date

  • Created: Oct. 10, 2024, 4:05 p.m.
  • Published: Oct. 10, 2024, 4:05 p.m.
  • Modified: Oct. 11, 2024, 8:10 a.m.

Attack Patterns

  • DarkVision RAT
  • PureCrypter
  • T1125
  • T1053.005
  • T1010
  • T1539
  • T1571
  • T1547.001
  • T1056.001
  • T1113
  • T1123
  • T1562.001
  • T1529
  • T1082
  • T1057
  • T1083
  • T1055
  • T1219
  • T1140