CastleRAT Malware Detection: Splunk MITRE ATT&CK

MITRE Techniques

• [T1082 ] System Information Discovery – CastleRAT gathers host details (computer name, username, machine GUID, product/version) and queries an external IP service for the public IP (‘This CastleRAT client gathers basic system details from a compromised host, including the computer name, username, machine GUID, Product name, and uses the free web service www[.]ip-api[.]com to obtain the public IP.’)
• [T1115 ] Clipboard Data – The RAT collects clipboard contents and exfiltrates them to the attacker, including hijacking paste actions to stealthily transfer data (‘CastleRAT launches multiple threads … one of those techniques is the collection of Clipboard data.’).
• [T1105 ] Ingress Tool Transfer – CastleRAT downloads DLL plugins from C2, decrypts them with RC4, and launches them using rundll32.exe (‘handles the decryption of CastleRAT DLL plugins downloaded from its C2 server and then launches those plugins using the Windows utility rundll32.exe.’)
• [T1036 ] Masquerading – The malware sets an environment variable and drops files to appear like legitimate Python/Java components to hide monitored data (‘reads and sets an environment variable that is disguised to appear like a legitimate Python or Java component’).
• [T1056.001 ] Keylogging – CastleRAT installs keyboard hooks (SetWindowsHookEx), captures keystrokes to a keylog file, RC4‑encrypts it, and exfiltrates the data (‘intercepts keyboard input, writes it to a keylog.txt file, encrypts that file with RC4, and then exfiltrates the encrypted data’).
• [T1559 ] Inter-Process Communication – The RAT spawns shells with redirected anonymous pipes to provide an interactive remote shell without visible console windows (‘creates a pair of anonymous pipes and starts the chosen shell with its standard input, output and error handles redirected to those pipes’).
• [T1185 ] Browser Session Hijacking – CastleRAT kills running browsers and relaunches Chromium‑based processes with audio flags to enable muted monitoring/control (‘killing a running browser … and launching a new Chromium‑based process with audio‑related command‑line flags’).
• [T1125 ] Video Capture – The malware enumerates media capture devices via Media Foundation APIs (MFEnumDeviceSources) to discover and initialize webcams/microphones (‘calls MFEnumDeviceSources() API for accessing and enumerating media capture devices’).
• [T1218.011 ] Rundll32 – CastleRAT uses rundll32.exe to load DLL exports by ordinal and to execute plugin code or shell32.dll exports (e.g., opening the Run dialog) (‘execute an interesting shell32.dll export function to open the “run” dialog box.’ )
• [T1053 ] Scheduled Task/Job – The RAT registers a Scheduled Task via PowerShell to run a local copy at system startup for persistence (‘register a Scheduled Task that runs a local copy of the malware at system startup’).
• [T1113 ] Screen Capture – A background thread periodically captures screenshots of the active desktop to harvest displayed sensitive information (‘periodically captures screenshots of the active desktop on the compromised host’).
• [T1102.001 ] Dead Drop Resolver – CastleRAT uses legitimate sites like Steam Community pages as dead‑drop resolvers to host or reference configuration or C2 metadata (‘leverages legitimate external websites such as Steam Community pages as benign-looking dead-drop resolvers’).
• [T1548.002 ] Bypass User Account Control – The malware abuses Appinfo and handle duplication via debug event monitoring and NtDuplicateObject to inherit handles from privileged processes and escalate privileges (‘abuses the Appinfo service UUID … monitors a specific debug event … duplicate via NtDuplicateObject () API’).