Castle RAT Client Malware: Tactics, Techniques, and Tradecraft

Summary

CastleRAT is a remote access Trojan first observed in March 2025, shipped in both Python and compiled C variants. It gathers system metadata, keystrokes, clipboard contents, screenshots, and media device details, then exfiltrates this information to a C2 server using RC4 encryption. The malware can fetch extra payloads, launch them via rundll32, and establish persistence through scheduled tasks and UAC bypass methods.

Investigation

The Splunk Threat Research Team reverse-engineered the Python and C implementations, mapping their behaviors to MITRE ATT&CK techniques including system discovery, keylogging, screen capture, audio/video device enumeration, dead-drop resolvers, and handle duplication for privilege escalation. The research emphasized CastleRAT’s reliance on legitimate Windows binaries (rundll32, ComputerDefaults.exe) and its use of www.ip-api.com to obtain the public IP address.

Mitigation

Defenders should detect suspicious outbound connections to unfamiliar domains, RC4-encrypted traffic patterns, and executions of rundll32 using ordinal-based DLL loads. Monitor for scheduled tasks created to start CastleRAT, UAC bypass attempts leveraging ComputerDefaults.exe, and processes launched with muted-audio browser flags. Block access to known dead-drop resolver locations, including abused Steam Community pages.

Response

When CastleRAT activity is identified, isolate the impacted host, kill the malicious processes, and remove any associated scheduled tasks or persistence artifacts. Collect forensic evidence such as process hierarchies, command-line arguments, and registry changes. Perform a comprehensive hunt for additional DLL plugins and C2 channels, then roll out remediation and hardening measures across the wider environment.

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

• Attack Narrative & Commands:

  1. Stage 1 – Deploy CastleRAT binary: The attacker copies CastleRAT.exe to the victim’s %APPDATA% directory to blend with user data.
  2. Stage 2 – Execute keylogging: Using a small C#‑in‑memory loader, the attacker invokes SetWindowsHookEx to install a low‑level keyboard hook, causing Sysmon to record the API in the CallTrace of the process creation event.
  3. Stage 3 – Privilege escalation: The same loader then calls DuplicateHandle to duplicate a handle from a privileged system process (e.g., lsass.exe), enabling the malware to run with SYSTEM rights. Both API calls appear in the same Sysmon CallTrace, satisfying the detection rule’s criteria.

• Regression Test Script:

  # -------------------------------------------------
  # CastleRAT simulation – triggers SetWindowsHookEx and DuplicateHandle
  # -------------------------------------------------
  $castlePath = "$env:APPDATA\CastleRAT.exe"
  
  # 1. Drop a minimal stub that loads the real payload (simulated here)
  $payload = @"
  using System;
  using System.Runtime.InteropServices;
  public class Loader {
      [DllImport("user32.dll")]
      public static extern IntPtr SetWindowsHookEx(int idHook, IntPtr lpfn, IntPtr hMod, uint dwThreadId);
      [DllImport("kernel32.dll", SetLastError = true)]
      public static extern bool DuplicateHandle(IntPtr hSourceProcessHandle,
                                                IntPtr hSourceHandle,
                                                IntPtr hTargetProcessHandle,
                                                out IntPtr lpTargetHandle,
                                                uint dwDesiredAccess,
                                                bool bInheritHandle,
                                                uint dwOptions);
      public static void Execute() {
          // Install a low‑level keyboard hook (WH_KEYBOARD_LL = 13)
          SetWindowsHookEx(13, IntPtr.Zero, IntPtr.Zero, 0);
          // Duplicate a handle from the current process (simulated)
          IntPtr dupHandle;
          DuplicateHandle((IntPtr)-1, (IntPtr)0x1234, (IntPtr)-1, out dupHandle, 0, false, 0);
      }
  }

“@

# Compile the C# code on‑the‑fly
Add-Type -TypeDefinition $payload -Language CSharp

# Copy the current PowerShell process (acts as CastleRAT.exe) to the target path
Copy-Item -Path $PSCommandPath -Destination $castlePath -Force

# Execute the malicious payload
[Loader]::Execute()

# Keep the process alive briefly to ensure Sysmon logs the call stack
Start-Sleep -Seconds 5

• Cleanup Commands:

  # Remove the simulated CastleRAT binary
  Remove-Item -Path "$env:APPDATA\CastleRAT.exe" -Force
  
  # Optionally unload any hooks (not needed for the stub, but included for completeness)
  # No explicit unload required for the SetWindowsHookEx call with NULL callback used above.