CastleRAT malware attacks Windows users secretly controlling

CastleRAT malware attacks Windows users secretly controlling the machine silently.

One type of malware that many readers will be familiar with: the remote access trojan type of malware, many of which have been reborn almost every day, and this is another new one to trouble Windows users again.

According to a report by the website Cyber Security News, a new RAT type of malware called CastleRAT was detected by a research team from Splunk, an expert company building enterprise cybersecurity tools. The research team first detected this malware in March. The malware will focus on attacks on Windows users by this malware. In addition to its basic capabilities, it allows hackers to take over the victim's machine. The malware is also divided into two versions:

Python version, which is a small (Lightweight) version.

Version C is a version that comes with high-level capabilities such as Keystoke, Screen Log Stealth, and Superior Persistance.

The research team has not identified any form of proliferation or deception for hackers to download and install malware. It is technically specified that the malware, after installing itself on the system, will collect systemic information from the victim's machine, such as computer name, user name, GUID number, IP address number, etc. The malware will send it back to a C2 (Command and Control) server with fixed-line encryption (Hardcoding) after the hacker has received the information. It will send a command through the C2 server to command the malware to run in the next step.

One of the more interesting features is the Clipboard theft feature to steal sensitive data copied by the victim on the Clipboard, such as the address of sending or receiving Kryptokerrency money, passwords, to the Kryptokerrency wallet loan code, where the malware takes over Hijacking and secretly uses the Paste command and then quietly smuggles the Exfiltration back to the C2 server.

The secret to silently smuggling is that instead of the malware running a network Sockets channel that is open or even running a network API that is vulnerable to detection, the malware copies the data on the Clipboard and uses the SendInput () function to place messages on unsuspecting applications to deceive the detection system and then distributes them to the C2 server. The research team also revealed examples of this function code:

If (OpenClipboard (0164))

{

EmptyClipboard ();

HMM = GlobalAlloc (0x2000u, v2 + 1);

Dest = GlobalLock (hMem);

Strcpy (Dest, Source);

SetClipboardData (1u, hMem);

CloseClipboard ();

pInputs [0] .ki.wVk = VK _ CONTROL;

pInputs [2] .ki.wVk = 'V';

SendInput (4u, pInputs, 40);

}

In defense, the research team recommended that enterprise users regularly monitor the behavior of their network in order to prevent and intervene when they are detected.

# Recap 2025 # Take care of yourself # Open budget # Includes IT matters # Trending