For about the price of a cup of Starbucks latte, a hacker is renting out a remote access trojan designed to backdoor targeted networks.

Dubbed as Dark Crystal RAT (or DCRat), the malware is being peddled online to hackers in Russian by a lone rookie malware writer with a penchant for cut-rate pricing.

“DCRat is one of the cheapest commercial RATs we’ve ever come across. The price for this backdoor starts at ($6) for a two-month subscription, and occasionally dips even lower during special promotions,” according to BlackBerry researchers who published their findings on Monday.

BlackBerry said sales of the budget RAT are being facilitated by the cybercriminal that goes by the name “boldenis44” or “crystalcoder.”

Capabilities of the RAT include a “stealer/client executable”, a single PHP page, which serves as the command-and-control endpoint and an administrator tool.

A Breakdown of DCRat

DCRat is, in some ways, amateurish, researchers assert. “There are certainly programming choices in this threat that point to this being a novice malware author,” they wrote.

“The administrator tool is a standalone executable written in the JPHP programming language, an obscure implementation of PHP that runs on a Java virtual machine,” BlackBerry wrote.

JPHP, they noted, is an easy-to-use language aimed at novice developers of desktop games. “The malware author may have chosen this format because it’s not particularly well-known, or they might have lacked programming skills in other, more mainstream languages.”

In another odd quirk, researchers note, is the malware author “implemented a function that displays a randomly generated number of ‘servers working’ and ‘users online’ that are meant to appear as statistics in the background of the administrator tool. It could be that they are trying to make their tool appear more popular, or that they just didn’t know how to implement an accurate counter and have employed a pseudo-counter in the meantime as a placeholder.”

However, in most respects, DCRat punches well above its weight.

Along with the stealer, command-and-control interface and administrator tool, the malware is highly customizable, demonstrating a higher level of attempted sophistication. The modular architecture allows RAT customers to create and share their own plugins.

“DCRat’s modular architecture and bespoke plugin framework make it a very flexible option,” the researchers wrote, “helpful for a range of nefarious uses. This includes surveillance, reconnaissance, information theft, DDoS attacks, as well as dynamic code execution in a variety of different languages.”

Customization prevents DCRat from growing stale, even after three years. That, and the constant care and attention its author gives it. “The administrator tool and the backdoor/client are regularly updated with bug fixes and new features; the same applies to officially released plugins.” The researchers noted a particular case in 2020, when Mandiant published an in-depth look at the DCRat client. “Just days after this report was released,” to combat the unwanted attention, “the malware author shifted distribution of the RAT to a new domain.”

Is DCRat an Outlier or an Omen?

Current is about $7 for a two-month lease. For a year, $33 and for a lifetime subscription $63.

Researchers speculate the low price is because the criminals behind the malware are just looking for attention. “It could be that they’re simply casting a wide net,” the researchers theorized, “trying to get a little money from a lot of maliciously minded people. It could also be that they have an alternative source of funding, or this is a passion project rather than their main source of income.”

It remains to be seen whether DCRat will be an outlier on cybercrime forums, or a new precedent. The implications could be significant. If effective malware is as cheap as a cup of coffee, how many more people might be lured into trying it out? And how much more capable might their attacks be?

“The biggest, flashiest threat groups might get their name in lights,” the researchers concluded, “but they aren’t necessarily the cybercriminals that keep security practitioners up at night.”