A powerful form of trojan malware that offers complete backdoor access to Windows systems is being sold on underground forums for the price of a cup of coffee – and it’s being developed and maintained by one person.

Known as DCRat, the backdoor malware has existed since 2018 but has since been redesigned and relaunched.

When malware is cheap it’s often associated with only delivering limited capabilities. But DCRat – offered online for as little as $5 – unfortunately comes equipped with a variety of a functions, including the ability to steal usernames, passwords, credit card details, browser history, Telegram login credentials, Steam accounts, Discord tokens, and more.  

DCRat can also take screenshots, steal clipboard contents and contains a keylogger that can track anything the victim types onto their computer. It ultimately provides cyber criminals with full access to almost everything the victim does after downloading the malware. 

SEE: A winning strategy for cybersecurity (ZDNet special report)

Malware this powerful tends to be the work of sophisticated and well-resourced cyber-criminal groups, but according to analysis by cybersecurity researchers at BlackBerry, DCRat is developed and maintained by a single user who actively markets their product on several Russian-speaking underground forums, as well as a Telegram channel. 

“This remote access Trojan (RAT) appears to be the work of a lone actor, offering a surprisingly effective homemade tool for opening backdoors on a budget,” BlackBerry warned.

The anonymous nature of the accounts don’t reveal much about DCRat’s creator, but researchers suggest that, despite the powerful nature of the malware, maintaining it isn’t their full-time job. 

The financial status of the person behind the malware could also be the reason why DCRat is available at such a low price compared to other tools with similar capabilities. 

“A lone-wolf operator would have low operating costs and, given the associated complexity of DCRat, low costs for backend infrastructure hosting” Simpson said.

The backdoor tool is written in JPHP programming language, an obscure implementation of PHP that runs on a Java virtual machine. The coding language is often used by cross-platform game developers because it’s both easy to use and flexible. In the case of DCRat, those features makes it perfect for developing and updating the malware – researchers note that minor updates and fixes are announced almost every day. 

And because JPHP isn’t as widely used as other programming languages, it’s potentially more difficult to detect signatures and protect systems. 

SEE: A security researcher easily found my passwords and more: How my digital footprints left me surprisingly over-exposed

There’s also evidence that the author of DCRat isn’t entirely honest with their customers. Anyone running an instance of the malware can see statistics showing “servers working” and “users online” – but analysis of these tabs appears to suggest the numbers are completely made up. 

But for now, DCRat remains a potent cybersecurity threat, providing cyber criminals with the ability to steal vast amounts of information from other individuals and organisations, particularly as the malware remains under active development, with new capabilities being added. 

“We would anticipate that organisations with weak endpoint defences and poor internal security posture would be likely targets or at greater risk,” said BlackBerry.

It’s still unclear how DCRat is actually delivered to victims, but researchers note that deployment of the malware often coincides with the use of Cobalt Strike, a legitimate penetration-testing tool that is often abused by cyber criminals.  

While DCRat is a potent cybersecurity threat, there are steps that individuals and organisations can take to help protect against falling victim. For example, researchers suggest that applying multi-factor authentication can help prevent accounts being taken over even if passwords have been stolen, while IT departments should monitor the network to detect – and prevent – potentially suspicious activity. 

MORE ON CYBERSECURITY