A freely offered Remote Access Trojan (RAT), dubbed Darktrack, is actually as good as paid RATs, considered best-sellers on the market.
The Trojan`s creator is a malware coder named Luckyduck and he is providing his product for free. This tactic took researchers by surprise mainly because all pieces of malware, which are actually good, are not offered for free on underground hacking forums or Dark Web marketplaces. On the contrary, they are expected to turn quite the moneymakers and gain their authors a fortune.
Moreover, free RATs, or any other pieces of freely-offered malware, are usually not fully working, backdoored by their creators of way too easy to detect.
However, this is not the case with Darktrack, according to the researcher MalwareHunterTeam, who stumbled across a sample of the Trojan and the end of last month.
Apparently, Darktrack is fully equipped with powerful features just like commercial RATs, but when MalwareHunterTeam found its homepage, he was surprised to see it was offered for free by its creator. Moreover, Luckyduck was promising to never make it a paid-for product.
The RAT version the researcher run across was Darktrack v4.0 and he immediately informed Softpedia about the new threat. Ever since, the company was trying to see how exactly Darktrack evolved tracking Darktrack mentions online.
As it turns out, the same day Darktrack was uncovered, its developer, Luckyduck, started teasing members of one of the biggest underground forums about a new product, named Darktrace Alien+ 4.1 that he was about to release.
“The previous [4.0] version was also at least as good as the current ‘best-selling’ RATs. If the new version will be even better, and still free, don’t think there is any reason to buy a paid RAT.” – MalwareHunterTeam states.
Luckyduck was informing the forum users that soon a new and improved RAT version will be available. On September 4th, he even uploaded a video on YouTube showing Darktrack Alien+ 4.1 during early tests.
Darktrack also has a website dedicated to it, as well as Facebook, Twitter, and Google+ pages. On its creator`s YouTube channel there are many Darktrack tutorials too.
The RAT`s domain leads to a man called Ekrem Karatas from Istanbul, Turkey. Of course, there is a high chance that this is a fake identity and researchers don’t rely on it than much. After a deep Google search about this man`s Email address, the results were only associated with the Darktrack domain.
The Darktrack RAT is advertised to have some of the same strong features, common for commercial RATs like JBifrost (Adwind) or Orcus. Darktrack is able to spy via webcams, to connect to remote computers and access their filesystem, to dump passwords, to perform network stress tests (DDoD attacks), to log keystrokes, to execute commands on infected PCs, and interact with local processes and services.
It also features an interface to interact with the victim’s task scheduler, a port scanner, a clipboard data logger, a Windows Registry editor, a system monitoring tool, a startup program manager and a host file editor.
MalwareHunterTeam says that almost all of this abilities are included in paid and best-sellers RATs.
“Maybe a good plugin system is what could be a reason for buying a commercial RAT if Darktrack does not have one” – MalwareHunterTeam adds – “But I think average skids don’t care.”