14 DAY TRIAL // A remote access trojan (RAT) developed and provided for free by a malware coder named Luckyduck is actually as good as other top-shelf commercial RATs available today.
This freemium distribution model is strange on today's malware scene where all powerful toolkits are available for a price on underground hacking forums or Dark Web marketplaces, especially if they're actually any good.
Free RATs are often incomplete, easily detected by antivirus engines, and often backdoored by their creators.
That's why, when a security researcher that goes by the name of MalwareHunterTeam came across a Darktrack sample at the end of August, things just didn't add up.
Darktrack as good as commercial RATs
The RAT was full of powerful features, usually found in commercial RATs. But when MalwareHunterTeam tracked down the RAT's homepage, he discovered that Darktrack's creator was offering it for free, and pledging to do so forever.
MalwareHunterTeam had come across Darktrack version 4.0. In the meantime, after the researcher's tip-off, Softpedia has been keeping an eye out for Darktrack mentions online, trying to see how this RAT evolved.
As it turns out, on the same day that MalwareHunterTeam discovered version 4.0, Luckyduck opened a thread on one of the largest underground hacking forums, teasing an upcoming version called Darktrack Alien+ 4.1.
"The previous [4.0] version was also at least as good as the current 'best selling' RATs," MalwareHunterTeam told Softpedia. "If the new version will be even better, and still free, don't think there is any reason to buy a paid RAT."
Malware author doing business on the public Internet
Answering questions from other forum users, Luckyduck said that a new and improved version was very close to its release. On September 4, Luckyduck uploaded a video on YouTube (now delisted, check udpate at the end of the article) showing Darktrack Alien+ 4.1 during early tests.
The malware coder also runs a dedicated website for Darktrack on the public Internet. He also runs a support topic, Facebook, Twitter, and Google+ pages, and brazenly lists his Skype ID. His YouTube channel also features many Darktrack tutorials.
Domain whois information returns the details of a man named Ekrem Karatas from Istanbul, Turkey. This may be a fake identity, so we wouldn't put too much trust into this information. Performing a strict Google search for this person's Gmail address returns only results associated with the Darktrack domain.
Darktrack comes with a keylogger, DDoS module, more
According to his forum post, this free RAT is choke-full with all types of features you've previously seen in commercial RATs such as Orcus or JBifrost (Adwind).
Here is just a short list of advertised features. You can read the full list at the end of this article. According to its forum post and official website, Darktrack comes with the ability to connect to remote computers and access their filesystem, the ability to spy via webcams, log keystrokes, dump passwords, and perform network stress tests (DDoS attacks).
There is also a port scanner, an interface to interact with the victim's task scheduler, a system monitoring tool, a clipboard data logger, a startup program manager, a hosts file editor, a Windows Registry editor, the ability to execute commands on infected PCs, and interact with local processes and services.
Almost everything you find in commercial RATs is included. "Maybe a good plugin system is what could be a reason for buying a commercial RAT if Darktrack does not have one," MalwareHunterTeam also added. "But I think average skids don't care."
UPDATE [September 14, 2016]: Following our article and the attention the RAT received from security researchers, Luckyduck shut down the Draktrack website and published the following message.
