A new piece of malware has come out, and cybercriminals are openly selling it through private Telegram channels This article explores crystalx malware. . CrystalX is a Malware-as-a-Service (MaaS) platform that includes a remote access trojan (RAT), a credential stealer, a keylogger, spyware, and a strange set of prankware tools.

The malware has already spread to more people, with dozens of victims, mostly in Russia, as of the time of this report. Kaspersky's products use a number of signatures, like Backdoor, to find this threat.Win64.CrystalX, Trojan.Win32.Agent, and Trojan.Agentb.gen. At the network perimeter, companies should block these domains, keep an eye out for strange outbound WebSocket connections, and look into any executable that acts like it doesn't want to be debugged. Keeping endpoint protection tools up to date is still a good way to stop threats like CrystalX from getting a foothold.

The threat keeps changing with new versions of the implant, which shows that it is getting better and that more people are signing up. It's important to note that CrystalX doesn't have any built-in geographic restrictions, so any subscriber can use it against targets anywhere in the world. The control panel's auto-builder lets operators set up anti-analysis features like selective geoblocking by country and custom executable icons.

It checks the Windows registry value to see if any proxy tools, like Fiddler, Burp Suite, or mitmproxy, are running. If they are, it blacklists their process names. Once these checks are passed, CrystalX connects to its command-and-control server using a hardcoded WebSocket URL and starts gathering system data. A hard-coded 32-byte key and a 12-byte nonce make it hard to do static analysis, which makes it even harder to figure out what the malware is.

One of CrystalX's most important features is that it can avoid detection by compressing files with zlib and encrypting them with ChaCha20.