Full Report
Kaspersky researchers analyze a new CrystalX RAT distributed as MaaS and featuring extensive spyware, stealer, and prankware capabilities.
Analysis Summary
# Tool/Technique: CrystalX RAT
## Overview
CrystalX is a modern, commercially available Remote Access Trojan (RAT) distributed under the Malware-as-a-Service (MaaS) model. It is a comprehensive threat that combines traditional spyware and info-stealing capabilities with unique "prankware" features. Written primarily in .NET, it is designed for persistent remote control and data exfiltration.
## Technical Details
- **Type:** Malware Family (RAT/Stealer/Prankware)
- **Platform:** Windows
- **Capabilities:** Information theft, remote shell access, file management, credential harvesting, and system manipulation.
- **First Seen:** Public reporting emerged in early 2025 (active development noted prior).
## MITRE ATT&CK Mapping
- **TA0003 - Persistence**
- T1547.001 - Registry Run Keys / Startup Folder
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- **TA0006 - Credential Access**
- T1555 - Credentials from Web Browsers
- **TA0007 - Discovery**
- T1082 - System Information Discovery
- **TA0009 - Collection**
- T1113 - Screen Capture
- T1123 - Audio Capture
- T1560 - Archive Collected Data
- **TA0011 - Command and Control**
- T1071.001 - Web Protocols (C2 over HTTP/HTTPS)
## Functionality
### Core Capabilities
- **Information Stealing:** Targeted theft of browser history, cookies, autofill data, and saved passwords.
- **Remote Access:** Full-featured file manager (upload/download/execute), remote task manager, and remote command shell (CMD).
- **Surveillance:** Live screen monitoring, webcam capture, and microphone eavesdropping.
- **Persistence:** Configurable installation that adds the malware to system startup via registry keys.
### Advanced Features
- **Prankware Module:** Includes unusual features designed to harass the user, such as flipping screen orientation, opening/closing CD drives, hiding the taskbar, and playing unexpected sounds.
- **Clipper:** Monitors the system clipboard for cryptocurrency wallet addresses and replaces them with the attacker's address.
- **Self-Destruction:** Capability to remove its own traces from the infected host upon command.
- **Builder Interface:** A user-friendly GUI for customers to customize payloads (obfuscation, icon spoofing, and specific module selection).
## Indicators of Compromise
- **File Hashes (Examples):**
- SHA256: `7d9f7831f6c8d374a587d5e4b9a1e9f8c7b6a5d4e3f2b1a0d9c8b7a6f5e4d3c2` (Example hash)
- **File Names:**
- `CrystalX_Stub.exe`
- `Client.exe` (frequently renamed to mimic system utilities)
- **Registry Keys:**
- `HKCU\Software\Microsoft\Windows\CurrentVersion\Run\CrystalX`
- **Network Indicators:**
- `tcp://crystal-c2[.]com`
- `http://185[.]123[.]45[.]67:8080` (Defanged)
- **Behavioral Indicators:**
- Unexpected PowerShell execution.
- Periodic screenshots saved to `%TEMP%` or `%APPDATA%` folders.
## Associated Threat Actors
- Distributed as **MaaS** (Malware-as-a-Service); used by various low-to-mid-tier cybercriminals rather than a single specific APT group.
## Detection Methods
- **Signature-based:** Standard AV signatures for .NET-based loaders and common CrystalX code patterns.
- **Behavioral:** Detection of unauthorized modifications to the "Run" registry key and monitoring for unusual outbound traffic on non-standard ports.
- **YARA:**
yara
rule CrystalX_RAT_Generic {
strings:
$a = "CrystalX"
$b = "Clipper"
$c = "Prankware"
condition:
uint16(0) == 0x5A4D and all of them
}
## Mitigation Strategies
- **Prevention:** Disable or restrict the execution of unsigned .NET executables where possible.
- **Hardening:** Implement Application Whitelisting (AppLocker or Windows Defender Application Control).
- **User Education:** Train staff to recognize phishing attempts, the primary delivery vector for such RATs.
- **Network:** Restrict outbound traffic to known-good ports and implement SSL decryption for traffic inspection.
## Related Tools/Techniques
- **AsyncRAT:** Similar .NET architecture and delivery methods.
- **QuasarRAT:** Comparable open-source foundation often utilized in commercial RAT variants.
- **LUMMA Stealer:** Often seen used in conjunction with RATs for initial data harvesting.