Malware loader PureCrypter has been leveraged to facilitate the delivery of the DarkVision RAT payload as part of a malware campaign identified in July, according to The Hacker News.
Initial systems access was used by threat actors to decrypt the Donut loader shellcode, which executes PureCrypter before running DarkVision while establishing scheduled tasks and a batch script enabling RAT executable deployment to ensure persistence, a report from Zscaler ThreatLabz revealed. Aside from having keylogging, process injection, remote shell, and browser data recovery capabilities, DarkVision RAT also enables system information exfiltration, plugin acceptance, and eventual Windows host takeovers, researchers said. "DarkVision RAT represents a potent and versatile tool for cybercriminals, offering a wide array of malicious capabilities, from keylogging and screen capture to password theft and remote execution. This versatility, combined with its low cost and availability on hack forums and their website, has made DarkVision RAT increasingly popular among attackers," said Zscaler.