Microsoft recently uncovered StilachiRAT, a highly sophisticated remote access trojan (RAT) designed to evade detection and maintain persistence within compromised systems. The malware specifically targets sensitive data, including credentials stored in web browsers, digital wallet information, clipboard contents, and various system details. It collects extensive information from compromised systems, such as hardware identifiers, BIOS serial numbers, camera presence, active Remote Desktop Protocol (RDP) sessions, and running applications. This information is then exfiltrated to a remote command-and-control (C2) server, which facilitates further malicious activity.
StilachiRAT is particularly dangerous due to its ability to scan for and steal data from up to 20 cryptocurrency wallet extensions installed in the Google Chrome browser.
These wallets include popular options like Coinbase Wallet, Phantom, Trust Wallet, and MetaMask. In addition to wallet data, the trojan extracts saved credentials from the Chrome browser and monitors clipboard content for valuable data such as passwords and cryptocurrency keys. It also has the ability to track active RDP sessions by capturing information from foreground windows and potentially impersonating logged-in users to escalate its access within the network.
The malware is designed to maintain long-term persistence within compromised systems by manipulating Windows services. If the malware is detected and removed, StilachiRAT is capable of automatically reinstalling itself through watchdog threads, ensuring that it continues to function undetected. The RAT communicates with its C2 servers via several TCP ports, allowing attackers to issue commands to the infected devices.
This includes rebooting the system, clearing event logs, manipulating the Windows registry, launching applications, and suspending system operations, making it a versatile tool for both espionage and system manipulation.
StilachiRAT also includes a variety of anti-forensic measures to prevent detection by security professionals and malware analysts. It can clear event logs, check for analysis tools, and dynamically encode its Windows API calls to evade sandbox environments. This makes the malware highly difficult to analyze, increasing the chances that it can remain undetected within a network for extended periods. Despite its stealthy nature, Microsoft has provided indicators of compromise and mitigation advice to help organizations detect and defend against the trojan. As a precautionary measure, Microsoft advises users to download software only from trusted sources and implement security software capable of blocking malicious domains and email attachments.
