Salat Stealer Extracts Browser Credentials Through Advanced Command and Control Systems

Credited by Freepik

VTA-004537 – Salat Stealer Extracts Browser Credentials Through Advanced Command and Control Systems

A recent investigation by CYFIRMA has exposed Salat Stealer, also known as WEB_RAT, a stealthy malware designed to steal sensitive data from Windows systems. Written in the Go programming language, Salat Stealer targets browser passwords, cryptocurrency wallets, and session data from apps like Telegram.

What makes this malware particularly dangerous is its ability to persist on infected devices. It hides by posing as trusted applications, adds itself to system startup, creates scheduled tasks, and even tampers with Windows Defender settings. To avoid detection, it uses techniques like code packing with UPX and encrypted communication channels.

Salat Stealer is distributed as a Malware-as-a-Service (MaaS) by Russian-speaking operators. This means cybercriminals—regardless of skill level—can rent access to the malware, complete with a control panel and resilient infrastructure, lowering the barrier to entry for attacks.

For individuals and businesses, the risk is high: stolen credentials can lead to financial theft, unauthorized access, and privacy breaches. Experts recommend updating endpoint protection, monitoring startup and network activity, enabling multi-factor authentication (MFA), and educating users about phishing and fake software downloads.

Severity:
Medium

Attack Surface:
Endpoint, File Storage, File Transfer, Online Fraud, Web Browser

Tactics:
Collection, Credential Access, Defense Evasion, Discovery, Execution, Impact, Persistence

Techniques:
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1053.005 – Scheduled Task/Job: Scheduled Task
T1543.003 – Create or Modify System Process: Windows Service
T1027.002 – Obfuscated Files or Information: Software Packing
T1564.003 – Hide Artifacts: Hidden Window
T1562.001 – Impair Defenses: Disable or Modify Tools
T1555.003 – Credentials from Password Stores: Credentials from Web Browsers
T1555.005 – Credentials from Password Stores: Password Managers
T1003 – OS Credential Dumping
T1057 – Process Discovery
T1012 – Query Registry
T1016 – System Network Configuration Discovery
T1129 – Shared Modules
T1202 – Indirect Command Execution
T1185 – Browser Session Hijacking
T1486 – Data Encrypted for Impact

Indicator of Compromise:
1. https://otx.alienvault.com/pulse/68c052f2d69285c2f3afeace

References:
1. https://www.cyfirma.com/research/unmasked-salat-stealer-a-deep-dive-into-its-advanced-persistence-mechanisms-and-c2-infrastructure/

SuperPRO’s Threat Countermeasures Procedures:
1. Use Advanced Endpoint Protection: Install and maintain robust antivirus or endpoint detection and response (EDR) software that can detect compressed executables (like those using UPX) and monitor suspicious activities, such as unauthorized changes to system settings or processes.
2. Enable Real-Time Behavioral Monitoring: Ensure security tools actively monitor system behavior to catch unusual activities, such as new processes pretending to be legitimate software or unexpected file creations.
3. Strengthen Network Security: Set up network monitoring to detect and block connections to suspicious or known malicious websites and IP addresses, such as those used by Salat Stealer’s command-and-control servers. Use intrusion detection and prevention systems (IDS/IPS) with updated rules to identify activities related to credential theft or cryptocurrency wallet targeting.
4. Harden System Configurations: Limit permissions for creating or modifying scheduled tasks and registry entries to prevent malware from setting itself to run automatically. Regularly check Windows Defender settings to ensure no unauthorized folders have been excluded from scans.
5. Promote User Awareness and Safe Practices: Educate users to avoid downloading software from untrusted sources, such as links in YouTube video descriptions or file-sharing sites offering game cheats or cracked software. Train individuals to recognize phishing emails and social engineering tactics that may deliver malware. Encourage cryptocurrency users to store assets in hardware wallets instead of browser-based extensions to reduce the risk of theft.
6. Develop an Incident Response Plan: Create a clear plan for responding to malware infections, including steps to contain, remove, and recover from threats like Salat Stealer. Maintain regular backups of important data and system settings to enable quick restoration if a system is compromised.

Contributed by: Hadi