Podcasts
Research Saturday
Ep 421
Research Saturday 4.18.26
Ep 421 | 4.18.26

A new breed of RAT.

Show Notes
Transcript

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Darren Williams: So we're continually researching on the internet and some of the agents that we have deployed out in the field, we're detecting all sorts of anomalies and vulnerabilities out there. And so this is how we sort of look at weird things that are happening on endpoints and say, hey, that's a bit unusual. And then when we dig deeper, we tend to find out what's really going on. And then sometimes we discover entirely new systems like this example here.

Dave Bittner: That's Dr. Darren Williams, Founder and CEO of BlackFog. The research we're discussing today is titled "Steaelite RAT Enables Double Extortion Attacks from a Single Panel." When you first analyzed this tool, what was it that stood out as unusual compared with other remote access Trojans?

Darren Williams: So the unique thing about this is it seems to be a hybrid, and it contains pretty much all of the cool things that you would ever want in a ransomware-type malware. It not only does remote access, it's fully controlled through the web browser, and you can do real-time screen sharing through a remote control panel, which is pretty cool. And it does key capture. It's cool in the sense that it's not cool [laughter]. But it's amazing in that it contains so many different technologies that traditionally we see in individual ransomware, but they're never all together. And one of the really interesting ones is that it has key capture technology built into it as well. And it specifically is able to copy things from your clipboard. And so you could do a cryptocurrency transfer, for example, capture it to the clipboard, paste it in to do a transaction, and it flips it to another endpoint to transfer the money to them directly. So it's really amazing the way it's able to do all of this stuff in real time.

Dave Bittner: Well, the research highlights that Steaelite enables double extortion attacks. What does that mean in practical terms?

Darren Williams: Well, it means they can go after not only the direct data themselves but maybe the information that's contained within that data. So traditional examples include corporations where they might have some valuable intellectual property. They'll come and extort that company for the first amount of money. Then they will take that information, read it, analyze it, and say, oh, we could also go after Darren Williams as well and all his family. And so they get a double bite at the cherry, if you will.

Dave Bittner: Well, let's walk through a typical scenario here. How would someone find themselves infected with this?

Darren Williams: Well, they wouldn't know. That's part of the beauty of it, right? It -- typically what happens here is you have to have an initial payload, we call it, that is actually deployed onto the endpoint. And this is typically done through standard phishing techniques, through email, where, you know, we know, for instance, that Dave is a big cat fan. So anything involving cats, Dave's going to probably click on it. So let's go phish for him. And that's typically what we see, where they just download very -- things that really seem innocuous at the time. But all they need is that first 200 bytes, typically. Then what happens is it often sits latent on the device, so, you know, a bit of JavaScript, download a little piece of code, which will stay there for a little while, and then it will activate, and then it will go and download from a remote site the entire malware itself to do the full execution of the attack. And at that point, they control you, right? So because typically what we find is a lot of this activation is done usually during the nighttime, 2:00, 3:00 AM typically. Then once it's activated, the perpetrator can actually, you know, remotely control your machine and do screensharing. They can do free file browsing of your machine remotely through that web interface. And we provide some screenshots in the article itself too. Pretty scary stuff.

Dave Bittner: Well, how stealthy is this? I mean, would your typical antivirus protection flag this?

Darren Williams: No, that's part of the problem. So it's so new is one aspect of it. And we do provide the keys for this so that if anyone wants to incorporate it into their other software, they can actually do that. But it's really difficult to detect, because it's all -- so modern attacks are really predicated on data exfiltration, honestly. It's all about the data. It used to be that everything was always about the device. Oh, I'm scared I'll lose my laptop and all the information on it. Well, really what's happening now is always about the data. It used to be that ransomware was, you know, remember the old days when it used to be you break your computer, would lock all your files, encrypt them all? They don't even bother anymore. That game of cat and mouse is so much effort and engineering work from the bad guys and the good guys that they just gave up doing it. So 96% of the attacks out there now always about stealing your data primarily, because that's what they use to extort you. And that's really the game, that's the ball game for them.

Dave Bittner: So ransomware, it really isn't about locking stuff up on your machine locally. It's about the extortion and then ransoming that off.

Darren Williams: Exactly. And that's exactly what we're seeing now. In fact, most people don't even bother doing the encryption. Because encryption is one of those things where, you know, the technologies are evolving so quickly and then, you know, we can defeat them just by getting the right keys out there too. So it's just like a lock and a key. But at the end of the day, I only want your data anyway, so whatever we can do to make money. I mean, these are just enterprises, ultimately, just the bad guys have that are trying to make money like everybody else, right? Just not for good reasons a lot of the time.

Dave Bittner: Well, you highlight the fact that this is an all-in-one extortion platform. What's that like for the attacker in terms of the decisions that they make along the way for the types of things they want to enable and how they want to go about doing that?

Darren Williams: So they can get to choose. The beautiful thing about this one is it's so remote oriented and it works through a browser, it gives them a lot more power than a traditional piece of software. Typically, what we used to see was the full payload coming down to the device, and then a lot of the logic is built into the actual malware, and then typically it's able to be detected pretty easily. But because this is remote-controlled at a control level, it's much harder to detect and a lot easier for the attacker to change techniques. Because they can say, look, the endpoint is enabled with this technology. Hey, let's go and switch on, you know, the key logger right now. Let's go and actually browse the remote files. Let's go in and do X, Y, Z. There's a lot of different things it's able to do and steal all the passwords. And one of the other great things that it does, again, not great, but really interesting [laughter], is that it actually is able to steal all your passwords stored in your browser, right, in your keychains. So it's able to actually go in and read them through, you know, your Chrome browser or whatever it is you're using. And you leverage those. So again, it's nearly triple extortion in the sense that it can take all of your other passwords as well. And then once they have them, say you're maybe logged into your bank or financial institution, you can easily grab a lot of those passwords that are stored locally and then take them off and then try and use them themselves. And also watch what you're doing. I mean, it's pretty amazing what it can do these days. [ Music ]

Dave Bittner: We'll be right back. Do you have any sense for how widespread or popular this is?

Darren Williams: Well, it was initially discovered in November of '25, and we're starting to see it used more and more. Is it widely used yet? Not yet, which is why we wanted to raise the attention of this really quickly so that we could give people a heads up. And in fact, they're advertising pretty freely on their website, if you go to it now, that there's an Android client available soon too. So, I mean, they're actively developing this technology really quickly because I guess it has been so effective. We're not aware of a lot of live attacks yet, but I mean, we don't see everything, obviously, so there's probably a lot if they're actively developing.

Dave Bittner: What sort of approach to the market do they seem to be taking? Is this pricey or is it affordable for anyone?

Darren Williams: I don't actually know what they're charging for it. But typically, the way these models traditionally work is they take 50% of the cut of any particular extortion amount that you get. So they control the cryptocurrency exchange itself, and then they'll take a cut. Just like a normal partner arrangement that you would have with a normal commercial operation, they just take a cut and maybe a low price, usually, you know, a few $100 a month to get access to the technology. So, you know, the money for them is obviously in the extortion by taking half the amount of money.

Dave Bittner: Any sense for what part of the world these folks are from?

Darren Williams: None yet.

Dave Bittner: Okay.

Darren Williams: It's very hard to do. These are very, very diverse organizations and they spread around, you know, geographically all over the world. They're like, they work in little silos. And so if you cut off one tentacle, there's tentacles all over the place and very hard. And they're dispersed, usually they're working for multiple gangs at the same time as well. So you never really can isolate them.

Dave Bittner: So what are your recommendations then for the defenders in our audience? What's the best approach to protect their organizations?

Darren Williams: We really sort of focus on the data itself, and that's what we're all about. So we always say always focus on the data. I mean, yes, it's great to have a great lock on your front door and a great protection in the perimeter of your security of your house, but you don't just rely on that. You usually rely on multiple things. Make sure your standard tools are enabled on your operating system, like, you know, Defender on Windows, for example, and the same for Mac OS. And then have some other cybersecurity tools on your system, too, that are actually actively blocking, you know, unauthorized data exfiltration to really stop that back channel, if you will. A lot of the tools out there are defensive. They focus on the front door. We also need to be looking at the data leaving the building as well.

Dave Bittner: So really monitoring that outbound data movement is part of the defense?

Darren Williams: Exactly, exactly. And, you know, we're also looking closely at what AI is introducing. These days, you know, everyone's using ChatGPT and all of those sorts of larger language models. But there are ways of also attacking systems using that sort of technology as well. And in fact, we're about to publish some research on that. Perhaps we can talk about that in the future. But it's really interesting. The world we're in right now is changing so quickly with large language models and AI. There are just new -- all these new opportunities available that the attackers never had available to them before. So this is why we're bringing this to the attention of the public as well.

Dave Bittner: What is your sense for what a tool like Steaelite tells us about where this is headed? When we're talking about ransomware and extortion, what's the future looking like over the next few years?

Darren Williams: Hard to predict the future. We don't try and predict anything beyond six or 12 months these days because things are just compressing time so quickly with AI. But we are seeing, and I think there's no -- I think it's pretty obvious what's happening there with the expansion of AI and explosion of agents generally. A Claude bot is a great example of that, where we are now starting to not just use language models to ask it questions and get responses, but we're saying, you know, why don't we download Claude bot and let it go and automate all of the actions on our desktop? Let it respond to a few emails for us and read our calendar and check that, hey, we haven't caught up with Dave for a few weeks, maybe we should ping him. And it's doing all this automatically. Now, what that entails is the download of a specific piece of application to your desktop, which has access to all of your files across your operating system. Now, what that means is that we have given an open authorized access to all of our systems. And if it's then communicating out to large language models to help do the work, then we've got a bigger problem. We've got more data leaking out of our system that we don't even know what it's doing. All we know is they're using, you know, MCP -- which is the API communication protocol that these tools use to talk to their language models in their own language -- and then they're actually sending it out to them. Now, this is a problem because we don't know what it's doing. So there needs to be some, we feel, some monitoring of that transaction out to LLMs at the same time. We're not saying don't use AI. We think AI is amazing ourselves, right? We use it every day. But let's use it responsibly. Let's have the control mechanisms in place to measure what they're doing to make sure there's some guardrails around all of this. And I feel like it's a little bit open season right now and that there really are no great guardrails out there, because the technologies are so new. So everyone's racing to try and solve this problem.

Dave Bittner: Yeah, it really seems like it's hard at this particular moment to balance the excitement and the enthusiasm and the potential versus all of those unknowns that you list.

Darren Williams: Yeah, but I would also counter that by saying that all great technology evolves this way, right? First of all, there was the internet. I mean, everything keeps developing really quickly. So generally, technology races ahead of where we are from a risk and governance perspective. And I think we're in a no different situation, except that I would argue it's actually going faster. I think it was Sam Altman that recently said that this has broken all of the Moore's Law, which used to be what the double the CPU technology every 18 months, is now at nine months. Which is quite phenomenal really, to think that we could actually halve that. And they're getting smarter that quickly. Like, I think it was ChatGPT 5 to 5.2 was twice as smart, and it was like less than nine months. Scary, but efficiency gains are so great. It's like, can you really run away from this technology? Probably not.

Dave Bittner: Yeah, interesting times, right, Darren?

Darren Williams: Yeah, it's great. It's exciting to be part of it, honestly. So, you know, there's swings and roundabouts with all these things, I guess. But I'm a big believer in it. I think it's changing the world, and I think you're seeing that too. I'm just happy to be part of it and help try and solve some of the problems it introduces.

Dave Bittner: All right, well, I think I have everything I need for our story here. Is there anything I missed? Anything I haven't asked you that you think it's important to share?

Darren Williams: Not on the Steaelite. I think you've covered this pretty well. I just think we're in a really unique opportunity in the world right now, that I think if we can really use these tools responsibly and adapt to them. Because, you know, they're changing entire sectors, right? I mean, unfortunately, for content creators, it's good and bad, right? I mean, all these sorts of industries that we talk about, it's really decimating the very low-level job. But on the counter to that, I would like to say that I think it's provided some interesting opportunities for older generation people. Because what is missing now are the critical thinking skills. And I think this is something that we've never valued as highly as we do today. I mean, we've heard about AI slop, and that's coming out really fast and furious. But we've got to actually check it. We've got to validate that information and verify. And I think that's why these older generation people that aren't brought up with technology and are not technology natives have a bit of an advantage right now. So I think it's a really interesting time in the world. [ Music ]

Dave Bittner: Our thanks to Dr. Darren Williams, Founder and CEO of BlackFog, for joining us. The research is titled "Steaelite RAT Enables Double Extortion Attacks from a Single Panel." We'll have links in the Show Notes. And that's Research Saturday, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to cyberwire@n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliott Peltzman and Tre Hester. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]

Research Saturday
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Saturdays
Creator: N2K Networks, Inc.