GoKawiilA new malware-as-a-service called CrystalRAT is being promoted on Telegram, offering remote access, data theft, keylogging, and clipboard hijacking capabilities.
The malware emerged in January with a tiered subscription model. Apart from the Telegram channel, the MaaS was also promoted on YouTube, via a dedicated marketing channel that showcased its capabilities.
Kaspersky researchers say in a report today that the malware features strong similarities to WebRAT (Salat Stealer), including the same panel design, Go-based code, and a similar bot-based sales system.
CrystalX also includes an extensive list of prankware features designed to annoy the user or disrupt their work. Despite its "fun" side, CrystalX offers a large set of data theft capabilities.
Telegram channel promoting CrystaX RAT
Source: Kaspersky
CrystalX RAT details
Kaspersky says that the malware provides a user-friendly control panel and an automated builder tool that supports customization options, including geoblocking, executable customization, and anti-analysis features (anti-debugging, VM detection, proxy detection, etc.).
The generated payloads are zlib-compressed and encrypted with the ChaCha20 symmetric stream cipher for protection.
The malware connects to the command-and-control (C2) via WebSocket and sends info about the host for profiling and infection tracking.
... continue reading