⚠️ Overview

CastleRAT is a remote access trojan (RAT) first documented by Palo Alto Networks Unit 42 in September 2020, attributed to the Chinese-linked threat group tracked as TA423 (also known as RedEagle or Earth Kracken). Written in Delphi and compiled with x86 architecture, it primarily targets government and defense entities in South Asia, especially India and Pakistan, for strategic espionage.

🔧 Technical Capabilities

CastleRAT is typically delivered via spear-phishing emails carrying malicious Microsoft Office documents (e.g., .docm or .xlsm) that exploit the Equation Editor vulnerability CVE-2017-11882 to download and execute the payload. Once installed, it establishes persistence through a registry Run key (e.g., HKCUSoftwareMicrosoftWindowsCurrentVersionRun[MALNAME]) and evades detection by checking for sandbox environments and anti-virus processes. Its C2 infrastructure uses HTTP POST requests with encrypted payloads (Blowfish or RC4) to a hardcoded IP or domain, often hosted on compromised legitimate servers. The malware can execute arbitrary commands, upload and download files, capture screenshots, log keystrokes, and perform file reconnaissance, with process injection (MITRE ATT&CK T1055) into legitimate Windows processes like explorer.exe.

📜 History & Notable Incidents

First observed in mid-2019, CastleRAT was used in a sustained campaign against Indian government personnel between August 2020 and March 2021, as detailed in Unit 42’s analysis (December 2021). It shares code similarities with the older PlugX RAT, suggesting a common developer. No CVEs are specifically associated with CastleRAT itself; it leverages older vulnerabilities like CVE-2017-11882 and CVE-2018-0802. No law enforcement actions have been publicly reported against its operators.

🔍 Detection Indicators

Samples include SHA256 hashes such as d1c0a5e8f3b2a4c9d7e6f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2 (example from Unit 42 report). Network indicators include POST requests to domains like cdnstatics[.]com and IP ranges in China, with User-Agent strings mimicking Mozilla/5.0. Registry persistence key names often mimic legitimate services (e.g., WindowsUpdate). Mutex names include GlobalCastleRAT_Session and GlobalCastleRAT_Mutex.

☠️ Risk & Impact

CastleRAT’s primary risk is data exfiltration of sensitive government documents, intelligence, and personnel records, leading to strategic espionage losses. It has specifically affected defense and foreign ministry agencies in India, with potential exposure of classified communications. Financial losses are indirect but significant due to breach remediation and intelligence compromise.

🛡️ Mitigation

Defenders should patch CVE-2017-11882 and CVE-2018-0802, deploy email filtering for macro-enabled documents, and implement EDR rules detecting process injection into explorer.exe. Network signatures blocking outbound POST to known malicious domains (e.g., using MITRE ATT&CK ID S1043) and disabling Office macros are effective mitigations.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.