
Microsoft security researchers have identified a new remote access trojan (RAT) named StilachiRAT, which exhibits advanced evasion techniques and data exfiltration capabilities.
The malware, discovered in November 2024, can steal credentials, monitor Remote Desktop Protocol (RDP) sessions, and extract cryptocurrency wallet information, posing a significant threat to targeted systems.
The Microsoft Incident Response team uncovered StilachiRAT during an investigation into suspicious activity in late 2024. The malware operates through WWStartupCtrl64.dll, a module responsible for executing its malicious functions. Despite its advanced persistence mechanisms and stealthy operations, Microsoft has not yet linked it to a known threat actor or geographical origin.
Currently, there is no evidence of widespread distribution, but given its capabilities and adaptability, Microsoft is closely monitoring its activity. StilachiRAT establishes command-and-control (C2) communication over TCP ports 53, 443, and 16000, allowing attackers to remotely control infected systems. It also delays its initial network connection by two hours, likely to evade detection by security software.
StilachiRAT's extensive capabilities
StilachiRAT is designed to perform a variety of malicious actions, including:
- System reconnaissance: Collects OS details, hardware identifiers, camera presence, RDP sessions, and active applications.
- Credential theft: Extracts and decrypts saved passwords from Google Chrome by accessing encrypted master keys.
- Cryptocurrency wallet targeting: Scans for and exfiltrates data from 20 different Chrome-based crypto wallet extensions, including MetaMask, Trust Wallet, Coinbase Wallet, and TronLink.
- RDP monitoring: Captures active window information and impersonates users to enable lateral movement.
- Clipboard monitoring and data collection: Continuously scans clipboard data for sensitive information, including cryptocurrency keys and passwords.
- Persistence mechanisms: Uses Windows Service Control Manager (SCM) and watchdog threads to reinstate itself if removed.
- Anti-forensics techniques: Clears event logs, detects analysis tools, and employs sandbox evasion tactics.
StilachiRAT primarily focuses on stealing financial and credential data, making it particularly dangerous for individuals and organizations dealing with cryptocurrency transactions and sensitive online accounts. The malware's ability to monitor RDP sessions and impersonate users also raises concerns about its potential use for corporate espionage or internal system breaches.
Its ability to launch system commands remotely, such as restarting the system, executing applications, clearing logs, and modifying registry values, indicates a high degree of attacker control.
Mitigation recommendations
To protect against StilachiRAT and similar threats, Microsoft recommends avoiding software downloads from obscure websites that promote installers of premium applications. It is also recommended that SmartScreen and Safe Links in Microsoft Edge and Office 365 be enabled to block malicious sites and phishing attempts, and network protection in Microsoft Defender for Endpoint should be activated to prevent access to known malicious domains.
Microsoft also recommends monitoring network traffic for unusual outbound connections to TCP ports 53, 443, and 16000, which StilachiRAT uses, and checking for suspicious Windows services by auditing Event ID 7045 (new service installed) and Event ID 7040 (service settings modified). Anti-forensic behavior like event log clearing activities (Event ID 1102 and Event ID 104) should also be treated as red flags.
Leave a Reply