A new malware-as-a-service (MaaS) has been promoted on Telegram as combining spyware, stealer, and remote access capabilities, Kaspersky reports.
Named CrystalX RAT, it emerged in January, when it was offered as Webcrystal RAT. Featuring a control panel identical to WebRAT, it was later rebranded, and its developer started promoting it both on Telegram and YouTube.
The malware control panel offers access to an auto‑builder featuring options such as geo-blocking and anti‑analysis, and allows users to generate compressed and encrypted implants.
Written in Go, the RAT establishes a WebSocket connection to its command-and-control (C&C) server immediately after execution, then starts collecting system information.
After sending the collected system data, the malware executes an information-stealing module that harvests Discord, Steam, and Telegram credentials, as well as data from Chrome-based browsers.
The RAT also packs a keylogger module that instantly sends all user input to the C&C via WebSocket. It also allows operators to read and modify the victim’s clipboard and can inject a malicious clipper into Chrome and Edge, Kaspersky notes.
CrystalX RAT supports multiple remote access commands, allowing operators to upload files, browse files, or execute commands. Courtesy of an integrated VCN, it also enables operators to control the victim’s screen remotely and can capture audio and video streams using the system’s microphone and camera.
“Since both the attacker and the victim use the same session, the panel provides a number of buttons to block user input so that the attacker can perform necessary actions unhindered,” Kaspersky explains.
The control panel also provides access to a series of separate commands that allow users to prank their victims, the cybersecurity firm says.
Using these commands, the operators can change the desktop background, change the screen orientation, shut down the device, remap mouse buttons, disconnect peripherals, display custom notifications, change cursor position chaotically, and disable various GUI components.
“Moreover, the attacker can send a message to the victim, after which a dialog window will open in the system, allowing a bidirectional chat,” Kaspersky notes.
The cybersecurity firm says CrystalX RAT has already infected dozens of individuals. Although it has been used only in Russia, the MaaS does not have regional restrictions and could soon be used globally.
“Moreover, our telemetry has recorded new implant versions, which indicates that this malware is still being actively developed and maintained. Combined with the growing PR campaign for CrystalX RAT, it can be concluded that the number of victims can increase significantly in the near future,” Kaspersky says.
Related: New DeepLoad Malware Dropped in ClickFix Attacks
Related: Axios NPM Package Breached in North Korean Supply Chain Attack
Related: Iranian Hackers Likely Used Malware-Stolen Credentials in Stryker Breach
Related: ‘BlackSanta’ Malware Activates EDR and AV Killer Before Detonating Payload
