malware as a service that steals data, controls equipment and bothers victims with prankware

In recent months a new actor has emerged in the threat landscape: a malware service offered as a product, promoted on public channels such as Telegram and YouTube and designed to turn anyone with criminal intent into an operator capable of spying, stealing credentials and controlling remote equipment. This is an offer of "malware-as-a-service" (MaaS) that combines serious info-stealing functions with a collection of provocative tricks designed to disturb or confuse the victim.

The security researchers who have analyzed this family of threats have documented that the project was launched at the beginning of the year and works with a level subscriptions system, which facilitates access to different degrees of functionality as paid. In their technical analysis, Kaspersky specialists describe that the malicious piece shares numerous design elements with another known threat (often referred to as WebRAT or Salat Stealer), from the control interface to the basis in the Go language and the marketing model based on bots and automated channels. You can read Kaspersky's technical report here: Kaspersky - Crystal RAT.

In the functional plane, malware offers several typical capabilities of remote access Trojan and info-stealers: remote command execution, file transfer, file system navigation and remote screen control via built-in VNC. It also incorporates espionage modules that allow capturing audio and video from the infected computer, as well as a key recorder that transmits real-time pulses to the control server. For cryptomoneda users, it also includes a clipper: it detects portfolio addresses copied to the clipboard by regular expressions and replaces them by addresses controlled by the attacker.

From a technical point of view, the creators have paid attention to protecting their distribution chain and communication with their servers. The payloads generator allows you to customize executables and apply geo-blockages, and malware incorporates anti-analysis mechanisms such as virtualized environment detection, proxy check and anti-debugging. The files generated are compressed with zlib and encrypted with the ChaCha20 flow encryption to make it difficult to inspect and detect by signatures; more information about these technologies is available in the technical articles on zlib and ChaChaCha20.

Communication with the operator control panel is done on WebSocket, a channel that facilitates persistent and bidirectional connections between malware and its infrastructure, and that allows the operator to know the profile of the compromised system and keep a record of the infections. For browser information theft, the project uses specialized tools to extract data from Chromium-based browsers, such as Chrome, Yandex and Opera, and also collects credentials and data from popular desktop applications between users and gamers, such as Steam, Discord and Telegram's own client.

Beyond the classic functions of a RAT, this product stands out by adding a package of "prankware": commands aimed at causing discomfort or interrupting the victim's work. Among the actions documented by analysts are to change the wallpaper, force off, reverse or rotate the screen orientation, disable keyboard or mouse entries, hide interface elements such as icons or task bar, block the Task Manager, and display false notifications or chat windows to deceive or distract the user. Although these characteristics do not directly increase the ability to monetize the intrusion, they do make it more striking for low-technical users and can be used to distract the victim while data theft modules act in the background.

According to analysts, the combination of an accessible interface, an automated builder and customization options attracts low-technical actors who otherwise could not operate such tools. The real danger is that the MaaS model reduces the entry barrier and multiplies the number of individuals able to run data theft and fraud campaigns., something we've been seeing for years with other variants of illicit services on the web dark and messaging channels.

To better understand the context and techniques that use this type of threat, it is useful to refer to public reference frameworks that catalogue tactics and intrusion techniques. The MITRE ATT & CK framework offers an inventory of techniques used by adversaries, from input capture to exfiltration and avoidance techniques, and can serve as a guide for security professionals: MITRE ATT & CK.

What can users and organizations do to reduce risk? The basic principles of digital hygiene remain the most effective: distrust and not open attachments or executables from unverified sources, maintain the operating system and up-to-date applications, use recognized endpoint detection and antivirus solutions, and apply multifactor authentication in critical services. In the case of users handling cryptomonedas, it is always appropriate to check the addresses manually before making transfers and consider using hardware portfolios to mitigate the risk of clippers in the clipboard.

From an organizational perspective, it is appropriate to invest in solutions that detect abnormal behavior (e.g., suspicious WebSocket connections from work stations, processes that access multiple messaging or browser applications, or keylogging activity), as well as network segmentation and application control policies to limit exposure. Incident response teams should maintain procedures to isolate compromised machines and analyse devices with forensic tools that can deal with compressed and encrypted loads.

The emergence of services that pack advanced functionalities in easy-to-use tools is a worrying trend because it democratizes the ability to commit crime in cyberspace. Prevention and education continue to be the first line of defence: an informed user and reasonable security policies greatly complicate the success of these attacks.

For those who want to deepen the technical analysis of the case described, the Kaspersky report provides a detailed description of the capabilities, telemetry and panel screens that operators use, and is a good starting point: Kaspersky - Crystal X analysis. In addition, public documentation on the encryption and compression methods cited in the analysis helps to understand why payloads may be more difficult to inspect: ChaChaCha20 and zlib.

In short, the combination of data theft functions and "joke" elements makes this RAT family a versatile threat: capable of spying and exfiltering information, while causing interruptions or confusion. The best response remains a mix of technical controls, continuous training and a preventive attitude to treating content and downloads from unverified sources.