Microsoft discovered a new remote-access trojan (RAT) which uses “sophisticated techniques” in order to avoid detection, maintain persistent, and extract sensitive information.
Although the malware (dubbed StilachiRAT), has not yet been widely distributed, Microsoft says that it decided to share publicly indicators of compromise and mitigation guidelines to help network defenses detect and reduce this threat. Microsoft has not yet assigned StilachiRAT to a specific threat actor, or associated it with a geolocation. This is due to the limited number of StilachiRAT instances in the wild.
“In November 2024, Microsoft Incident Response researchers uncovered a novel remote access trojan (RAT) we named StilachiRAT that demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data,” Microsoft said:
An analysis of the StilachiRAT’s WWStartupCtrl64.dll, which contains the RAT’s capabilities, revealed that various methods were used to steal information such as credentials stored on the browser, digital wallet data, data stored on the clipboard as well as system info. Redmond highlighted reconnaissance features like collecting system data such as hardware identifiers and camera presence, running GUI-based programs to profile targeted systems, and active Remote Desktop Protocol sessions. StilachiRAT can be used by attackers to steal digital wallet data after being installed on compromised systems. This includes scanning the configuration of 20 cryptocurrency wallet extensions including Coinbase Wallet (Phantom), Trust Wallet (Metamask), OKX Wallet (OKX Wallet), Bitget Wallet (Bitget Wallet), and others. The malware can also monitor clipboard activity to find sensitive information such as passwords and cryptocurrency keys. It does this by using Windows APIs.
The RAT, once launched as a standalone Windows process or service, gains and maintains persistent via the Windows Service Control Manager (SCM) . It ensures that it gets reinstalled using watchdog threads which monitor the malware’s binary and recreate them if no longer active.
Microsoft said. “For each identified session, it will access the Windows Explorer shell and duplicate its privileges or security token. The malware then gains capabilities to launch applications with these newly obtained privileges.”
The RAT has a number of anti-forensic and detection evasion features, including the ability to check for signs it is running in a sandbox and clear event logs. StilachiRAT’s Windows APIs are encoded “checksums that are resolved dynamically at runtime” to make it appear that they are running in a sandbox. This is done to slow down the analysis.
Microsoft says StilachiRAT also allows command execution, as well as potential SOCKS proxying, using commands from the C2 server to the infected device. This can allow the threat actors to reboot the compromised system and clear logs, steal credential, execute applications, or manipulate system windows. Other commands are designed for
To reduce the attack surfaces this malware can use, Microsoft recommends downloading software from only official websites and using security programs that can block malicious email attachments and domains.
