CrystalX RAT: Malware‑as‑a‑Service Combines Spyware, Credential Stealer, and Full Remote Access
What Happened — Kaspersky uncovered a new RAT sold as a Malware‑as‑a‑Service (MaaS) on Telegram and YouTube. The “CrystalX” platform lets attackers purchase a customizable remote‑access trojan that includes keylogging, clipboard hijacking, crypto‑wallet address swapping, and data‑stealing modules for browsers and gaming apps.
Why It Matters for TPRM —
- The service’s subscription model lowers the barrier for low‑skill actors to launch sophisticated espionage campaigns against third‑party vendors.
- Built‑in anti‑analysis and encrypted communications make detection difficult, increasing the risk of prolonged, undetected compromise of partner environments.
- Credential‑stealing capabilities target widely used services (Steam, Discord, Chromium browsers), potentially exposing shared accounts and API keys used in supply‑chain integrations.
Who Is Affected — All sectors that rely on Windows workstations, especially SaaS providers, MSPs, and organizations that store crypto‑wallet credentials or use popular browsers for SSO.
Recommended Actions —
- Review any third‑party relationships that provide remote‑desktop or support tools; verify they enforce strict endpoint hardening.
- Deploy behavior‑based EDR capable of detecting anomalous WebSocket C2 traffic and ChaCha20‑encrypted payloads.
- Enforce least‑privilege for credential storage; rotate service‑account passwords regularly.
Technical Notes — The RAT uses a hard‑coded WebSocket C2 URL, compresses payloads with zlib, encrypts with ChaCha20, and employs anti‑debugging (VM detection, proxy checks). Data exfiltration is sent as plain‑text JSON; the stealer module currently targets Steam, Discord, Telegram, and Chromium‑based browsers via the ChromeElevator utility. Remote‑access features include VNC screen control, audio/video capture, and a “prank” module that can alter user UI. Source: Security Affairs