Unmasking CastleRAT: The Python & C Trojan Exploiting Windows RPC for Silent Takeover

Listen to this Post

Featured Image

Introduction:

A new remote-access trojan (RAT) dubbed CastleRAT is demonstrating sophisticated evasion and persistence techniques, leveraging a legitimate Windows RPC mechanism for privilege escalation. Discovered by the Splunk Threat Research Team (STRT), this dual-variant malware (written in Python and compiled C) enables complete system compromise, highlighting an ongoing trend of attackers abusing trusted OS components. This analysis delves into its tactics and provides actionable blue-team defenses.

Learning Objectives:

  • Understand the CastleRAT infection chain and its abuse of the AppInfo RPC Service.
  • Learn to implement detection rules for associated MITRE ATT&CK techniques.
  • Acquire hands-on skills for investigating and mitigating such RAT infections.

You Should Know:

  1. The CastleRAT Infection Chain and AppInfo RPC Exploit
    The attack begins with a common initial access vector, like a phishing email. Once executed, CastleRAT’s core objective is privilege escalation. It achieves this by leveraging the `AppInfo` service (Application Information) via Remote Procedure Call (RPC). Specifically, it uses the `AppInfo` RPC service UUID to trigger the execution of a trusted Windows binary, ComputerDefaults.exe, with elevated privileges. The malware then duplicates handles from this high-integrity process into its own malicious process, inheriting SYSTEM-level permissions.

Step-by-step guide explaining what this does and how to use it:
– Step 1: Initial Execution. The user executes a disguised payload (e.g., Invoice.doc.exe).
– Step 2: Discovery & Impersonation. The malware enumerates processes to find a suitable candidate for handle duplication. It often targets `explorer.exe` running under the current user.

 Simulating process discovery (Attacker View - C/C++ logic)
for (process in EnumerateProcesses()) {
if (process.Name == "explorer.exe" && process.SessionId == CurrentSessionId) {
targetPID = process.Id;
break;
}
}

– Step 3: RPC Call for Elevation. The malware uses the `RAiLaunchAdminProcess` function from the AppInfo service to launch `ComputerDefaults.exe` as admin.
– Step 4: Handle Inheritance. Using the duplicated handles, the malware spawns its own payload with the stolen elevated privileges, achieving persistence.

2. MITRE ATT&CK Framework Mapping

STRT meticulously mapped CastleRAT’s behavior to the MITRE ATT&CK matrix. Key techniques include:
– T1548.002 (Bypass User Account Control: Abuse Elevation Control Mechanism): The abuse of the AppInfo service.
– T1055 (Process Injection): Injecting code into legitimate processes like explorer.exe.
– T1574.002 (Hijack Execution Flow: DLL Side-Loading): Possibly deploying malicious DLLs alongside trusted binaries.
– T1027 (Obfuscated Files or Information): Using compiled C for the core payload to hinder analysis.

Step-by-step guide for analysts:

Use the MITRE Navigator to visualize this threat. Import the following technique IDs: T1548.002, T1055, T1574.002, T1027, T1518 (Software Discovery), and T1016 (System Network Configuration Discovery). This creates a heatmap of adversary behavior for developing detection hypotheses.

3. Building Detections with Splunk SPL

Proactive detection is critical. Below are sample Splunk Search Processing Language (SPL) queries based on identified TTPs.

Step-by-step guide for detection engineering:

  • Detection for Suspicious Child Processes of ComputerDefaults.exe:
    index=windows EventCode=4688
    New_Process_Name="ComputerDefaults.exe"
    Parent_Process_Name IN ("cmd.exe", "powershell.exe", "wscript.exe")
    | stats count by Parent_Process_Name, New_Process_Name, CommandLine
    
  • Detection for RPC Server Activation (AppInfo Service Abuse):
    index=windows EventCode=4697
    Service_Name="AppInfo"
    Subject_User_Name!="SYSTEM"
    | table _time, Subject_User_Name, ComputerName
    
  • Hunting for Handle Duplication:
    Leverage Sysmon Event ID 10 (ProcessAccess) with high-granted access rights like PROCESS_DUP_HANDLE.

    index=windows sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=10
    GrantedAccess="0x40" OR GrantedAccess="0x1000" // PROCESS_DUP_HANDLE | PROCESS_CREATE_PROCESS
    | stats values(CallTrace) by SourceImage, TargetImage
    

4. Mitigation & Hardening Steps

Preventing exploitation requires a layered defense strategy.

Step-by-step mitigation guide:

  • Step 1: Restrict RPC Permissions. Configure the `AppInfo` service (AppIDSvc) to deny execution from non-admin users via Group Policy. Set the service’s security descriptor (SDDL) to restrict `RPCSERVICE` permissions.
  • Step 2: Implement Application Control. Use Windows Defender Application Control (WDAC) or AppLocker to block unsigned scripts and binaries from executing in user writable directories (%APPDATA%, %TEMP%).
    Example PowerShell to create a WDAC policy blocking unsigned scripts
    New-CIPolicy -FilePath BlockUnsignedScripts.xml -Level Publisher -Fallback Hash -UserPEs -DriverPEs
    
  • Step 3: Enable Attack Surface Reduction (ASR) Rules. Enable ASR rules via Defender, particularly “Block process creations originating from PSExec and WMI commands” and “Block abuse of exploited vulnerable signed drivers.”

5. Incident Response & Forensic Triage

If you suspect a CastleRAT infection, quick triage is essential.

Step-by-step forensic guide:

  • Step 1: Process Analysis. Use a tool like Sysinternals Process Explorer to look for `ComputerDefaults.exe` with unusual parent processes or network connections.
  • Step 2: Network Analysis. CastleRAT establishes C2 connections. Look for anomalous outbound traffic on non-standard ports from processes masquerading as system utilities.
    On Linux-based SIEM or analyst workstation, query for suspicious outbound calls
    netstat -antp | grep ESTABLISHED | grep -E ':443|:8443|:4444' | grep -v "chrome|firefox"
    
  • Step 3: Persistence Check. Examine common persistence locations:
    Windows Command Prompt
    reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    dir "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp" /a
    

6. Leveraging Splunk’s Analytic Stories

Splunk’s coverage includes pre-built Analytic Stories for RATs and privilege escalation. Navigate to the Splunk Enterprise Security App and search for the “Remote Access Trojan” or “Privilege Escalation via API” Analytic Stories. These packages bundle the correlated searches, data models, and response playbooks needed for end-to-end investigation.

What Undercode Say:

  • Key Takeaway 1: The sophistication of CastleRAT lies not in a zero-day, but in the sophisticated abuse of a legitimate, poorly-secured Windows RPC mechanism (AppInfo). This represents a shift towards “living-off-the-land” (LOLBins) even in post-exploitation RATs, making them harder to distinguish from normal activity.
  • Key Takeaway 2: The dual Python and C implementation is strategic. The Python variant allows for rapid iteration and easy deployment, while the compiled C variant is used for robust, persistent, and harder-to-analyze backdoors. This shows adversary adaptation to target environments and analyst skill sets.

The analysis by STRT underscores a critical blue-team imperative: detection must evolve beyond hash-based IOCs to focus on behavior and sequence of events. The malicious sequence of process discovery -> specific RPC call -> handle duplication -> privileged process creation is a more reliable fingerprint than any single file. Defenders must instrument their endpoints to log these low-level RPC and process access events (via Sysmon or EDR) and correlate them in a SIEM. The provided SPL is a solid foundation, but tuning for your environment is non-negotiable to reduce noise.

Prediction:

CastleRAT’s methodology signals a future where RATs will increasingly weaponize Windows internal components and protocols (COM, RPC, WMI) that are essential to OS functionality and thus cannot be disabled. We predict a rise in “API-based persistence,” where malware maintains access not through traditional registry run keys, but by manipulating and hooking into core OS service workflows. This will force the security industry to develop more advanced behavioral detections that understand the legitimate context of these system calls, pushing wider adoption of machine-learning models trained on telemetry from kernel and user-space API interactions. Furthermore, the Python/C combo foreshadows a trend of cross-language malware frameworks, making attribution harder and increasing the need for reverse-engineering tools that can handle polyglot code analysis.

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Teoderickc Splunk – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky