Malware News Kaspersky reveals in great detail: “A Laughing RAT” — CrystalX blends spyware, data-stealing, and prankware capabilities into a single threat.

[Khushal]

Content source

https://securelist.com/crystalx-rat-with-prankware-features/119283/

Picture this: you sit down at your computer with a cup of coffee to start your day, turn it on, and something strange begins. Your screen starts spinning. Then the wallpaper changes. Your keyboard stops working, the mouse buttons switch places, and a message appears on the screen: “Hey buddy.” Then the camera turns on. A silly joke? No. This isn’t an April Fools’ prank. It’s a 360-degree compromise.
Read the details about CrystalX RAT, a new malware that spies, steals data, and mocks its victims: An analysis of CrystalX commercial RAT with prankware features

An analysis of CrystalX commercial RAT with prankware features

Kaspersky researchers analyze a new CrystalX RAT distributed as MaaS and featuring extensive spyware, stealer, and prankware capabilities.

securelist.com

 

[ForgottenSeer 123960]

Executive Summary
Analysis confirms the presence of "CrystalX RAT", a Golang-based Malware-as-a-Service (MaaS) integrating spyware, infostealing, and prankware capabilities.

Assessment
While the exact delivery vector remains unknown based on current telemetry, the payload's ability to patch Windows security components (AMSI, ETW) and inject malicious browser extensions poses a critical threat to both enterprise and consumer environments.

Technical Analysis & Remediations

MITRE ATT&CK Mapping

T1059.001
(Command and Scripting Interpreter: cmd[.]exe)

T1562.001
(Impair Defenses: Disable or Modify Tools - AmsiScanBuffer/EtwEventWrite patching)

T1555.003
(Credentials from Passwords Stores: ChromeElevator utility)

T1113
(Screen Capture: VNC module)

T1115
(Clipboard Data: JS Clipper injection via content.js)

CVE Profile
Unknown/N/A [CISA KEV Status: Inactive].
The delivery vector is currently "Origin: Insufficient Evidence," so no specific exploitation framework is confirmed.

Telemetry

Registry Keys
The malware modifies or checks HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings for MITM proxy detection.

File Paths
%TEMP%\svc[rndInt].exe, %LOCALAPPDATA%\Microsoft\Edge\ExtSvc.

Network (C2)
hxxp://webcrystal[.]lol
hxxp://webcrystal[.]sbs
hxxp://crystalxrat[.]top (utilizing WebSocket protocol).

Hashes (MD5) 47ACCB0ECFE8CCD466752DDE1864F3B0

2DBE6DE177241C144D06355C381B868C

Constraint
The structure suggests the payload is packed via zlib and encrypted with ChaCha20, bypassing basic static detection.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Initiate incident response protocols for suspected credential compromise if CrystalX IOCs are detected in the environment.

DETECT (DE) – Monitoring & Analysis

Command
Deploy SIEM hunting queries for WebSocket traffic connecting to known C2 infrastructure (webcrystal[.]lol or crystalxrat[.]top).

Command
Monitor EDR telemetry for anomalous execution of the ChromeElevator utility or unusual script creation in %LOCALAPPDATA%\Microsoft\Edge\ExtSvc.

RESPOND (RS) – Mitigation & Containment

Command
Isolate affected endpoints from the network immediately to sever the remote control VNC/WebSocket connection.

Command
Suspend all user accounts associated with the compromised host, specifically forcing MFA resets for SaaS and VPN access.

RECOVER (RC) – Restoration & Trust

Command
Image the system for forensics. Do not attempt to clean the host; reimaging is required due to the deployment of memory patches targeting AmsiScanBuffer and EtwEventWrite.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Implement application control to prevent unsigned binaries and scripts from executing in %TEMP% and %LOCALAPPDATA%.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Disconnect from the internet immediately if you experience "prankware" symptoms such as inverted mouse buttons, unexpected screen rotation, or cursor shaking.

Command
Do not log into banking/email until verified clean.

Priority 2: Identity

Command
Reset passwords and MFA tokens for Discord, Telegram, Steam, and all browser-saved accounts using a known clean device (e.g., phone on 5G).

Priority 3: Persistence

Command
Check browser extensions in Chrome and Edge. The malware injects a hidden extension (content.js) to maliciously swap cryptocurrency addresses in your clipboard. If the host is infected, a full OS reinstallation is strongly advised.

Hardening & References

Baseline
CIS Microsoft Windows Desktop Benchmarks.

Framework
NIST CSF 2.0 / SP 800-61r3.

Source

Securelist (Kaspersky) Primary Technical Analysis

 

[Halp2001]

Great share, thanks for bringing this up!

CrystalX is a clear example of how attackers blend "playful" elements with malicious intent. By combining spyware, data theft, and visual pranks into one package, it becomes a versatile threat—capable of distracting the victim while seriously compromising the system in the background.

Basic protection measures:

• Keep Windows and all software fully updated.
• Use a reliable antivirus with real-time protection.
• Be extremely cautious with suspicious downloads and attachments.
• Use a password manager to avoid credential reuse.
• Stay alert for any unusual system behavior.