The new remote access trojan (RAT) is capable not only of stealing information and fully spying on its victims, but also of making fun of them.
keylogger, clipper, and spyware capabilities. Cybercriminals are selling it to third parties as MaaS (malware-as-a-service) promoting it on YouTube and Telegram, increasing the likelihood of its use across a wider range of actors, including less-skilled operators.
Due to its stealer functionality, the malware can collect a wide range of data about its victim: it gathers system information, extracts credentials for Steam, Discord and Telegram, and also harvests data from web browsers. It also poses a threat to cryptocurrency users, as it includes a browser-based clipper that replaces crypto wallet addresses.
Beyond data theft, CrystalX RAT is capable of full-scale surveillance, with the ability to take screenshots, record audio from the microphone, and capture video from both the webcam and the victim’s screen.
Particularly notable is the CrystalX RAT “playful” Prankware feature set, which is actively promoted by the developers. These capabilities allow operators to visibly interfere with the victim’s system by shaking the mouse cursor, setting wallpapers on the victim’s screen, changing screen orientation, hiding desktop icons, forcing system shut downs, and even delivering real-time pop-up notifications and messages to the victim. While seemingly trivial, these features introduce a disruptive and psychological dimension to the attack, making the attack both visible and distressing for the victim.
Attacker-victim chat window.
Kaspersky reports attacks targeting users in Russia, but the trojan has the potential to spread to other countries due to its sales and distribution model.
“Such a diverse feature set effectively enables a 360-degree compromise of the victim and a complete loss of privacy. Beyond gaining access to account credentials, the stolen data could potentially be used for blackmail. At the moment, the initial infection vector is not precisely known, but it is already affecting dozens of victims. Our telemetry is already detecting new versions of the implants, indicating that this malware is still actively developed and maintained. We expect the number of victims to grow significantly and its geographic spread to expand in the near future,” says Leonid Bezvershenko, senior security researcher at Kaspersky GReAT.
Read the full report on Securelist.com to learn more about CrystalX RAT and its indicators of compromise.
To stay safe Kaspersky recommends that users:
- Be cautious when opening or downloading files received via messengers or emails, as they may be able to execute malware.
- Be cautious with downloads. It’s safer to install games and mods only from official sources or reputable websites. Unofficial sources may contain malware.
- Use a strong security solution on all computers and mobile devices, such as Kaspersky Premium. It will warn you and prevent any infection.
- You can enable the ‘show file extensions’ option in the Windows settings. This will make it much easier to distinguish potentially malicious files. As Trojans are programs, you should be warned to stay away from file extensions like “exe”, “vbs” and “scr”. Cybercriminals could use several extensions to masquerade a malicious file as a video, photo, or a document.
- Be attentive with notifications sent by email. Cybercriminals often distribute fake email messages mimicking email notifications from an online store or a bank, luring a user to click on a malicious link and distribute malware.
