EXECUTIVE SUMMARY:
Salat Stealer is a Go-based information-stealing malware designed to operate as a remote access trojan with advanced data exfiltration capabilities. It is primarily used to harvest sensitive information from compromised Windows systems, including browser credentials, cryptocurrency wallet data, messaging session tokens, and system-related information. The malware is engineered to provide attackers with persistent access while maintaining stealth through obfuscation and multi-stage execution techniques.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Salat Stealer is a Go-based information-stealing malware designed to operate as a remote access trojan with advanced data exfiltration capabilities. It is primarily used to harvest sensitive information from compromised Windows systems, including browser credentials, cryptocurrency wallet data, messaging session tokens, and system-related information. The malware is engineered to provide attackers with persistent access while maintaining stealth through obfuscation and multi-stage execution techniques.[emaillocker id="1283"]
The malware employs multiple advanced persistence and evasion techniques to maintain access and avoid detection. It leverages registry run keys and scheduled tasks to ensure automatic execution upon system startup or user login, while also disguising its processes to mimic legitimate applications. Salat Stealer uses UPX packing and other obfuscation methods to hinder static analysis and antivirus detection. For data theft, it extracts credentials from browser databases, cryptocurrency wallet files, and session storage, including widely used platforms and browser extensions. Communication with its command-and-control infrastructure is achieved through encrypted HTTPS channels and lightweight UDP beacons, supported by domain failover mechanisms that ensure operational continuity even if primary servers are disrupted. This resilient architecture allows attackers to maintain control and continuously exfiltrate stolen data.
Salat Stealer represents an evolving threat combining strong obfuscation and extensive data theft capabilities. Its Malware-as-a-Service (MaaS) distribution model significantly lowers the barrier for cybercriminal adoption, increasing its operational reach. Organizations and users are advised to strengthen endpoint security controls, monitor abnormal registry and scheduled task modifications, and enforce strict browser and credential protection measures to mitigate exposure to such infostealer campaigns.
THREAT PROFILE:
| Tactic | Technique Id | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| T1204.002 | User Execution | Malicious File | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys/Startup Folder |
| Privilege Escalation | T1548.002 | Abuse Elevation Control Mechanism | Bypass User Account Control |
| Stealth | T1027.002 | Obfuscated Files or Information | Software Packing |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| Discovery | T1082 | System Information Discovery | - |
| T1083 | File and Directory Discovery | - | |
| Collection | T1005 | Data from Local System | - |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| T1095 | Non-Application Layer Protocol | - | |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | - |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Anti-Behavioral Analysis | B0001 | Debugger Detection |
| Anti-Static Analysis | B0032 | Executable Code Obfuscation |
| E1027 | Obfuscated Files or Information | |
| Collection | E1113 | Screen Capture |
| E1560 | Archive Collected Data | |
| Command and Control | B0030 | C2 Communication |
| E1105 | Ingress Tool Transfer | |
| Credential Access | F0002 | Keylogging |
| E1056 | Input Capture | |
| Defense Evasion | B0025 | Conditional Execution |
| B0027 | Alternative Installation Location | |
| B0029 | Polymorphic Code | |
| E1564 | Hide Artifacts | |
| Discovery | E1082 | System Information Discovery |
| E1010 | Application Window Discovery | |
| Execution | E1059 | Command and Scripting Interpreter |
| Exfiltration | E1020 | Automated Exfiltration |
| Impact | B0022 | Remote Access |
| B0018 | Resource Hijacking | |
| Lateral Movement | E1195 | Supply Chain Compromise |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| F0011 | Modify Existing Service |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/new-salat-malware-uses-quic-and-websocket/
[/emaillocker]