The regiment of “warriors” has arrived: FACCT experts have analyzed the new RADX RAT remote access trojan

The regiment of “warriors” has arrived: FACCT experts have analyzed the new RADX RAT remote access trojan

At the end of 2023, FACCT Threat Intelligence specialists recorded several phishing emails from a criminal group using a remote Trojan DarkCrystal RAT for attacks on Russian companies Among their targets were marketplaces, retail chains, banks, IT companies, telecommunications and construction companies.

DarkCrystal RATis a remote access trojan released in 2019. “Warrior” can take screenshots, intercept keystrokes and steal various types of data from the system, including bank card data, cookies, passwords, browser history, clipboard contents and Telegram, Steam, Discord, FileZilla accounts. The VZP itself is written in C# and has a modular structure.

If successful, attackers could gain access to internal financial and legal documents of companies, customer databases, accounts from postal services and instant messengers. However, the protection system against complex and unknown cyber threats FAS.S.T. Managed XDR intercepted and blocked all phishing emails sent to our clients’ email addresses.

Experts analyzed the contents of the mailings and discovered a new remote access trojan – RADX. More details about him are given in a new blog Anton Baranov, FACCT Threat Intelligence analyst and Dmytro Kupin, head of the department of dynamic analysis of malicious code of FACCT company

Fig. 1. Screenshot of the malicious letter from the November mailing with a request to pay the bill

Let’s briefly tell how the events developed. In November 2023, attackers sent messages from sergkovalev@b7s[.]jw.org uk phishing emails with the subject “Server Payment”. They contained two types of attachments: “payment screen for server.zip” or “payment screen for server.pdf.zip”. The first archive contained a “server payment screen.scr” file that would install the DarkCrystal RAT remote access trojan on the victim’s computer. In this case, the command center (C2) of the DarkCrystal RAT is the IP address 195.20.16[.]116.

The second archive contained the “server payment screen.pdf.exe” loader, which installed a previously unknown VPO. During the analysis, we gave it the name RADX RAT.

Analyzing similar samples belonging to this family found on VirusTotal, it was possible to find ASCII art “RAD-X” in one of them:

Fig. 2 Screenshot of the sample code with ASCII art “RAD-X

A RADX authorization form was also discovered:

Fig. 3 Screenshot of the RADX authorization form

The family of VPOs, which received the name RADX RAT, were found by Threat Intelligence specialists for sale on an underground forum. This “warrior” has been on sale since October 2023 and is advertised as: “the best SOFTWARE for working with remote access and collecting classified information.”

Fig. 4 Screenshot of the announcement on the forum

By the way, attackers also position RADX as the “cheapest RAT” and offered it at New Year’s discounts with a styler program in addition. Yes, a weekly RADX rental with discounts costs only 175 rubles per month, and a three-month one – 475 rubles.

A technical analysis of the RADX trojan, including indicators of compromise and a full breakdown of MITER ATT&CK, is available on our blog.

Related posts