CrystalX RAT is a newly discovered Malware-as-a-Service (MaaS) written in Go, originally appearing in private Telegram developer channels as Webcrystal RAT. The malware distinguishes itself through an extensive feature set that combines traditional RAT functions, a credential stealer, a keylogger, and a cryptocurrency clipper with unique "prankware" capabilities. These prank features allow attackers to manipulate the victim's desktop, rotate screens, and disrupt peripheral inputs to harass the user.
Technically, the Trojan utilizes zlib compression and ChaCha20 encryption for its payloads and employs various anti-analysis techniques, including MITM checks and stealth patches for AMSI and ETW. It communicates via WebSockets for real-time data exfiltration and includes a custom VNC for remote screen control. While currently observed targeting users in Russia, its MaaS business model and lack of regional restrictions make it a global threat as its PR campaign continues to expand.
Top comments (0)