Salat Stealer (aka WEB_RAT) is a Go-based infostealer that targets Windows to exfiltrate browser credentials, cryptocurrency wallet data, Telegram and Steam sessions, and system information while using UPX packing, process masquerading, registry Run keys, scheduled tasks, and Defender exclusion tampering for persistence and evasion. The malware is offered via a Russian-speaking Malware-as-a-Service ecosystem (WebRat/Web_RAT) with resilient C2 infrastructure at domains such as salat.cn and operator contact via Telegram. #SalatStealer #WebRat #salat.cn
Keypoints
- Salat Stealer is a Go-language Windows infostealer that harvests browser credentials, cryptocurrency wallet data (including extension-based wallets like MetaMask), Telegram and Steam sessions, and system telemetry.
- The sample analyzed (qtaq52ku.exe, MD5 276ff69704019d7b8491059ea9445a81) is UPX-packed and shows high entropy, indicating obfuscation and compression to evade static detection.
- Persistence is achieved via multiple Registry Run keys, scheduled tasks with repeated triggers, and process masquerading by dropping executables named Lightshot.exe, Procmon.exe, and RuntimeBroker.exe in trusted directories.
- Defense-evasion techniques include UPX packing, creating hidden windows, modifying Windows Defender exclusions via PowerShell scripts, disabling UAC, and disabling WinRE to hinder recovery.
- Command-and-control uses UDP keep-alive packets and encrypted HTTPS to salat.cn (/sa1at) with multiple fallback domains (webrat.in, webr.at, posholnahuy.ru, etc.) and a web control panel (WebRat) featuring WebSocket real-time control and cookie transfer for persistent panel access.
- The operation is commercialized as a MaaS offering (WebRat/Web_RAT) managed by Russian-speaking actors (NyashTeam, Kapchenka) with subscription pricing, reseller lists, Telegram-based support, and victim-sharing capabilities in the panel.
- Mitigations recommended include advanced EDR with behavioral monitoring, outbound traffic filtering, YARA rules/IDS signatures, restricting task/registry modification permissions, Defender audits, and user training on social-engineering vectors.
MITRE Techniques
- [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – Creates multiple Run key entries named Lightshot, Procmon, and RuntimeBroker pointing to dropped executables to auto-launch on startup. Quote: ‘Creates registry Run key entries for auto-execution.’
- [T1053.005 ] Scheduled Task/Job: Scheduled Task – Creates scheduled tasks (Lightshot, Procmon, RuntimeBroker) with triggers at logon and one-time execution repeating every 3 minutes for 30 days to ensure repeated execution. Quote: ‘It creates scheduled tasks… At logon – Executes the malicious payload every time a user logs in, with a repeat interval of every 3 minutes for a duration of 30 days.’
- [T1543.003 ] Create or Modify System Process: Windows Service – Modifies system execution behavior and disguises processes by dropping and naming executables to mimic legitimate services/processes. Quote: ‘The malware disguises itself as legitimate processes in trusted directories to evade detection and blend with legitimate applications.’
- [T1027.002 ] Obfuscated Files or Information: Software Packing – Uses UPX v4.1.0 packing to compress and obfuscate the binary, indicated by high entropy and UPX signature. Quote: ‘Packed with UPX to evade static detection.’
- [T1564.003 ] Hide Artifacts: Hidden Window – Creates hidden windows to conceal activity during execution. Quote: ‘Creates hidden windows to conceal activity.’
- [T1555.003 ] Credentials from Password Stores: Credentials from Web Browsers – Accesses browser SQLite Web Data files (Chrome, Edge, Opera, Brave, Thorium, etc.) to extract stored credentials and autofill data. Quote: ‘targets Google Chrome’s stored credentials by accessing the browser’s SQLite database located at: %AppData%LocalGoogleChromeUser DataDefaultWeb Data.’
- [T1555.005 ] Credentials from Password Stores: Password Managers – Targets installed cryptocurrency wallet applications and extension-based wallets to extract keys and seeds (e.g., MetaMask, Trust Wallet). Quote: ‘The stealer targets wallet databases, private keys, and configuration files… MetaMask Trust Wallet Coinbase Wallet Extension.’
- [T1003 ] OS Credential Dumping – Employs techniques to harvest system and credential data beyond browser stores (discussed in import/API usage and credential-access behaviors). Quote: ‘The executable imports a broad set of Windows API functions… indicating potential capabilities for system enumeration, persistence, anti-analysis, and code execution control.’
- [T1057 ] Process Discovery – Uses process enumeration and masquerading to identify and mimic legitimate processes. Quote: ‘Process Masquerading… initiates multiple processes and attempts to evade detection by disguising itself as a legitimate application.’
- [T1012 ] Query Registry – Reads and queries registry keys to locate Telegram and Steam installations and to create persistence and disable features. Quote: ‘accesses Telegram’s tdata folder and queries registry keys related to Telegram to locate the installation and extract session information.’
- [T1016 ] System Network Configuration Discovery – Performs network discovery to determine connectivity and interact with C2 infrastructure. Quote: ‘The Salat Stealer communicates with its command and control (C2) server using the UDP protocol… sends small packets… to 104.21.80.1.’
- [T1129 ] Shared Modules – Uses shared libraries and dynamic modules (downloads 7z.dll, MSTSCLib.dll, etc.) via PowerShell downloader to stage additional functionality. Quote: ‘Important Files Loader… retrieving multiple external binaries from GitHub… 7z.dll, 7z.exe…’
- [T1202 ] Indirect Command Execution – Executes remote PowerShell scripts and built-in scripts (Defender Excluder, UAC Disabler, Disable Reset) via the control panel to perform actions indirectly. Quote: ‘The command-and-control panel provides functionality to remotely execute custom PowerShell scripts on compromised systems.’
- [T1562.001 ] Impair Defenses: Disable or Modify Tools – Uses PowerShell scripts to add Defender exclusions, disable UAC and WinRE to impair recovery and detection. Quote: ‘The PowerShell script uses the Add-MpPreference cmdlet… Disable Reset… reagentc /disable… UAC Disabler… set EnableLUA value to 0.’
- [T1185 ] Browser Session Hijacking – Harvests browser session data and cookies and targets Telegram/Steam session files to hijack active sessions. Quote: ‘Browser Session Hijacking’ and ‘The stealer targets Telegram and Steam sessions to steal user data.’
- [T1486 ] Data Encrypted for Impact – References to impact and potential data encryption are included in the MITRE mapping (listed in article’s ATT&CK matrix). Quote: ‘Data Encrypted for Impact’ (listed under Impact in the provided MITRE mapping).
Indicators of Compromise
- [File Hash ] Sample MD5 hash of analyzed binary – 276ff69704019d7b8491059ea9445a81 (qtaq52ku.exe)
- [File Name ] Dropped executable names used for masquerading and persistence – Lightshot.exe, Procmon.exe (dropped to Program Files paths)
- [Domains ] C2 and control panel domains – salat.cn (/sa1at), webrat.in (and fallback domains posholnahuy.ru, webr.at; additional: webrat.su, webrat.top)
- [IP Address ] Panel/login infrastructure – 62.109.0.189 (http://62[.]109[.]0[.]189/login/) and C2-related IPs 172.67.194.254, 104.21.60.88, and UDP contact 104.21.80.1
- [YARA Strings/Artifacts ] Known YARA-detected strings and packer signature – ‘UPX!’ signature and strings/domains such as nyash.team, salat.cn (YARA rule included in report)
- [Browser Paths ] Targeted browser data locations – %AppData%LocalGoogleChromeUser DataDefaultWeb Data, and other browser Web Data paths (Brave, Opera, Thorium, 360Browser, ChromePlus, Sputnik)