Emergence of Salat Stealer: A New Era in Malware Threats
A potent new malware family, identified as Salat Stealer, has made its debut on Windows systems, showcasing the evolving landscape of cyber threats. Written in Go, this Remote Access Trojan (RAT) integrates traditional infostealing techniques with a sophisticated command-and-control (C2) mechanism that utilizes QUIC and WebSocket protocols. The utilization of a resilient blockchain-backed infrastructure enhances its operational capabilities, allowing it to evade detection and survive potential cybersecurity measures.
At its core, Salat Stealer offers a host of malicious functionalities that empower its operators with extensive control over compromised systems. It provides remote shell access and enables desktop and webcam streaming, keylogging, clipboard theft, as well as theft of sensitive information from browsers and cryptocurrency wallets. This comprehensive suite of features positions Salat Stealer as more than just a conventional password stealer; it serves as a full post-exploitation framework once it infiltrates a victim’s host system.
Distribution and Stealth Mechanism
Salat Stealer is typically distributed as a UPX-packed Windows executable, cleverly disguising itself as legitimate system processes such as explorer.exe, svchost.exe, or lsass.exe. This tactic allows it to blend seamlessly into normal process lists, making it challenging for defenders to identify and neutralize it during initial triage. Upon execution, Salat Stealer employs Go’s os.Executable() API to determine its file path, facilitating self-replication and various cryptographic operations crucial for its functionality.
To obscure its configuration, the malware employs a six-mode string decryption scheme. This includes an AES‑128‑GCM mode, secured with the MD5 hash of the constant string “biba,” along with an XOR mode that uses a hex representation of the Russian phrase “Я люблю сосать.” Such layered encryption techniques contribute to the malware’s resilience against detection and analysis.
Unique Identification of Victims
Salat Stealer incorporates a unique identification mechanism for each victim. By concatenating the victim’s hostname, a hardware identifier (HWID), and a hardcoded salt (LDrx1ePUV27Zt8tq2S14), the malware creates a distinct agent ID. This ID, generated through MD5 hashing, is embedded within every beacon sent to the C2 server, allowing operators to efficiently manage and track compromised systems.
In its quest for heightened privileges, Salat Stealer features a function named main_Elevate, which attempts to relaunch itself with administrator rights whenever feasible. This escalation of privileges significantly broadens access to sensitive data and critical system controls.
Command-and-Control (C2) Capabilities
Salat Stealer’s operational sophistication extends to its command-and-control capabilities. The malware can operate in various runtime modes based on command-line arguments. For instance, a “-k” switch triggers a keylogger-only mode, while other command configurations execute JSON-encoded command arrays or initialize named mutexes. This flexibility enables operators to tailor its deployment according to specific operational objectives.
The integrated keylogger meticulously captures keystrokes, allowing attackers to harvest credentials and messages that may never find their way into standard browser or file storage. To further enhance stealthiness, Salat Stealer communicates through various transport layers, predominantly utilizing WebSocket and HTTP/3 (QUIC) protocols, which blend seamlessly into modern web traffic, rendering them indistinguishable from benign communications.
Advanced Communication Techniques
The malware employs the quic-go and gorilla/websocket libraries for communication, with a fallback mechanism to HTTP/2 in scenarios where QUIC or WebSocket channels are obstructed. The C2 URLs are ingeniously encrypted within the binary, decrypted through a series of hex decoding and custom methods, culminating in AES-GCM decryption. This allows for dynamic access to five embedded /sa1at/ endpoints across multiple domains and ports.
In instances of failed connection attempts, Salat Stealer utilizes DNS-over-HTTPS to interact with The Open Network (TON) blockchain. This action facilitates verification of a smart contract using embedded RSA public keys, allowing the malware to decode fresh C2 configurations. Such a feature complicates takedown efforts significantly, underscoring the resilience of Salat Stealer.
Data Exfiltration and Persistence Mechanisms
Upon initiating communication with the C2, Salat Stealer collects extensive system information through Windows Management Instrumentation (WMI), assembling a JSON object that details essential system specifications, such as GPU and CPU names, OS details, RAM size, active window titles, and administrator status. This initial registration beacon, encrypted through RSA or AES, is sent to the C2, providing operators rich telemetry to prioritize targets.
Salat Stealer gathers a wide array of data, including screenshots, process lists, Discord and Steam tokens, and browser data (including DPAPI-decrypted secrets). This information is compressed into ZIP files for exfiltration, enhancing the malware’s efficiency in data theft.
To ensure longevity on infected systems, Salat Stealer employs various persistence methods, including copying itself to hidden system locations, creating scheduled tasks for execution during logon and at regular intervals, and modifying Run-key entries under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
Conclusion: A Call for Vigilance
With its QUIC and WebSocket-based C2 architecture, blockchain-backed resilience, and extensive credential theft capabilities, Salat Stealer represents a formidable challenge to cybersecurity defenses. Experts recommend focusing on behavioral endpoint detection and response (EDR) strategies, monitoring suspicious scheduled tasks, evaluating masquerading binaries, and scrutinizing unusual DNS-over-HTTPS activity linked to TON. As the threat landscape continues to evolve, staying ahead of sophisticated malware like Salat Stealer is paramount for organizations to safeguard their digital assets.