CrystalX RAT is the new kind of malware-as-a-service discovered by researchers of the cybersecurity platform. It combines the typical surveillance tools with disruptive prank-style features. According to Kaspersky, the service is being actively promoted online and could see rapid growth in victims.
Researchers of cybersecurity said CrystalX RAT malware offers a wide range of capabilities beyond standard spyware functions, including features designed to disturb or harass victims. This malware is being promoted through an organized campaign, which is raising concerns about wider adoption.
CrystalX RAT allows its attackers to remotely control the systems that are being infected. It supports command execution, file uploads and downloads, file system access, real-time control, and forced system shutdown.
To steal the data, the malware includes keylogging, clipboard hijacking, as well as the ability to extract data from browsers along with desktop applications such as Steam, Discord, and Telegram.
It also supports surveillance features, including capturing video through a device’s camera and recording audio through the microphone.
In addition to espionage tools, the malware includes several disruptive functions. These allow attackers to change wallpapers, alter screen orientation, display fake notifications, move the cursor, hide desktop elements such as icons and the taskbar, disable system tools, and remap mouse controls.
Additionally, the malware has an integrated chat window that allows attackers to speak with victims directly and deliver threats or demands for money.
Although pricing information was not made public, Kaspersky stated that CrystalX RAT is offered through a tiered subscription approach. The service is mainly advertised on Telegram, although YouTube channels are also used to showcase its features.
Prank features may also be used as a marketing tactic to set the service apart from other malware products, according to researchers.
Kaspersky is claiming that CrystalX RAT appears to be targeting the inexperienced attackers, also known as “script kiddies.” Nevertheless, it has sophisticated capabilities, which include virtual machine recognition, executable customization, anti-debugging tools, and geoblocking.
The malware resembles WebRAT, which seems to be the source of some of its characteristics.
Although the precise number of victims is yet unknown, experts reported that dozens of people have already been impacted by the infection. Leonid Bezvershenko, a senior security researcher at Kaspersky GReAT, claims that the majority of reported cases are in Russia.
Leonid Bezvershebko gave a statement in which he said that:
“Such a diverse feature set effectively enables a 360-degree compromise of the victim and a complete loss of privacy. Beyond gaining access to account credentials, the stolen data could potentially be used for blackmail. We expect the number of victims to grow significantly and its geographic spread to expand in the near future.”
Researchers think social engineering techniques, such as phony software cracks, phony premium services, and activation tools, are how the malware spreads.
The researchers stated that:
“CrystalX RAT represents a highly functional MaaS platform that is not limited to espionage capabilities – spyware, keylogging and remote control – but includes unique stealer and prankware features. Combined with the growing PR campaign for CrystalX RAT, it can be concluded that the number of victims can increase significantly in the near future.”
They cautioned that the malware allows for total system compromise, including access to private information that might be exploited for extortion. Kaspersky anticipates a rise in both the geographic reach and the number of victims.
