It’s bad enough that threat actors are leveraging AI for their attacks, but now they can also access a new remote access trojan (RAT) that makes it easy to launch data theft and ransomware attacks on Windows computers from a single management pane.
The tool is called Steaelite, and according to researchers at BlackFog, it’s been advertised and available to customers on underground cybercrime sites since last November. In addition, there’s a promotional video on YouTube showing off its capabilities.
The tool could lower the barrier to the execution of sophisticated, end-to-end ransomware campaigns.
But BlackFog CEO Darren Williams told CSO that this isn’t the most sophisticated RAT he’s seen. “The novel aspect here,” he said, “is the convergence. Steaelite bundles remote access, credential harvesting, data exfiltration, and ransomware (currently in development) in a single package.”
Traditionally, he explained, these capabilities have occupied different parts of the cybercrime toolchain, but Steaelite unifies the functions, giving operators persistent access, surveillance, and data theft from a single browser-based dashboard. And once the ransomware module has been completed, “operators will be able to exfiltrate data first and encrypt second, enabling double extortion without switching tools, which is quite rare.”
That’s enough power “to fully compromise a business,” he noted. “The damage scales with the victim’s access, so one infected employee with privileged credentials could hand over the keys to the entire environment.”
Just over a decade ago, a researcher counted more than 250 RATs, and threat actors continue to create new RATs to evade evolving defenses; today Malwarebytes lists the currently best known RATs as SubSeven, Back Orifice, ProRat, Turkojan and Poison-Ivy.
And earlier this month, security researchers at Point Wild disclosed yet another Windows malware campaign that uses a multi-stage infection chain to establish persistent, memory-resident access on compromised systems and steal sensitive data.
RATs are spread in many ways, including by employees clicking on phishing lures and by threat actors tricking staff into installing what they’re told is necessary software. Because of that, security awareness training is a prime defense.
What Steaelite includes
The browser-based Steaelite toolkit includes modules for remote code execution, file management, live streaming, webcam and microphone access, process management, clipboard monitoring, password recovery, installed program enumeration, location tracking, arbitrary file execution, URL opening, DDoS attacks, and VB.NET payload compilation.
As well, an ‘advanced tools’ panel provides ransomware deployment, hidden RDP (remote desktop management) access, the ability to disable Windows Defender and exclusion management, and persistence installation.
Real-time screen streaming ability shows the victim’s desktop with a “LIVE STREAM” indicator. “Combined with webcam and microphone modules, this turns Steaelite into a persistent surveillance platform for as long as the victim remains connected,” says the report.
The ‘developer tools’ panel adds keylogging, client-to-victim chat, file searching, USB spreading, bot killing (for removing competing malware), message box delivery, wallpaper modification, UAC bypass, and a clipper that swaps cryptocurrency wallet addresses with an attacker-controlled address during copy-paste operations.
Perhaps most worrisome for CSOs and infosec leaders, the tool allows a single threat actor to browse the victim’s files, exfiltrate documents, harvest credentials, and deploy ransomware – in other words, to enable double extortion – from the same dashboard.
Usually double extortion requires separate tools or steps, says BlackFog: malware for initial access and exfiltration, then a separate ransomware payload for encryption, often involving co-ordination between initial access brokers and ransomware affiliates.
In fact, the report says, the automated credential harvesting means data theft begins before the criminal operator even interacts with the dashboard.
The Android ransomware module on the tool’s roadmap extends this further, says the report. “If the developer delivers [the ransomware module], a single Steaelite licence could cover both corporate Windows endpoints and the mobile devices employees use for authentication and messaging.”
Steaelite is malware-as-a-service. The seller quotes $200 per month for access, or $500 for three months, with buyers contacting the seller through Telegram to arrange payment and receive access.
Defenders should focus on data exfiltration prevention rather than just perimeter defense, said Williams. “Tools like Steaelite assume they will get past initial defenses and prioritize getting data out fast,” he said. “Stopping the exfiltration at the point it happens is more reliable than trying to prevent every possible initial infection vector.”