Discovering StilachiRAT: A Sophisticated Remote Access Trojan

In November 2024, researchers from Microsoft Incident Response identified a new remote access trojan (RAT) referred to as StilachiRAT. This malware employs advanced techniques to avoid detection, maintain a foothold in the target environment, and extract sensitive information. Investigation into the RAT’s WWStartupCtrl64.dll module, which harbors its capabilities, showcased multiple strategies used for data theft, including capturing credentials from browsers, information from digital wallets, clipboard content, and overall system details.

So far, Microsoft has not linked StilachiRAT to any specific threat actor or geographical location. Currently, the malware does not appear to be widely circulated. Nonetheless, owing to its stealthy nature and the rapid evolution in the malware landscape, Microsoft is sharing these insights as part of its initiative to continually observe, analyze, and report on emerging threats.

Microsoft security solutions can recognize actions associated with StilachiRAT-related attacks. To assist network defenders, we are also providing strategies for mitigating this threat, detection information, and investigative queries. Monitoring the methods of propagation for StilachiRAT is ongoing; given that such malware can infiltrate through various channels, implementing robust security measures is essential to avert initial compromises.

Key Capabilities of StilachiRAT

This blog outlines StilachiRAT’s significant functionalities, including:

• System reconnaissance: Gathers detailed information about the system, such as OS specifics, hardware IDs, camera presence, active Remote Desktop Protocol (RDP) sessions, and open graphical user interface (GUI) applications.
• Digital wallet targeting: Looks for configuration data for 20 different cryptocurrency wallet extensions in Google Chrome.
• Credential theft: Extracts and decrypts saved usernames and passwords from Google Chrome.
• Command-and-control (C2) communication: Connects with remote C2 servers using TCP ports 53, 443, or 16000 for remote command execution.
• Command execution: Supports various commands from the C2 server to manipulate system operations.
• Persistence mechanisms: Establishes persistence through Windows service control and employs watchdog threads for reinstatement upon removal.
• RDP monitoring: Monitors and can impersonate users in RDP sessions, facilitating potential lateral network movement.
• Clipboard and data collection: Constantly observes clipboard activity for sensitive data, tracking active applications.
• Anti-forensics and evasion tactics: Utilizes methods to clear event logs and evade analysis tools.

Techniques and Analysis

StilachiRAT performs extensive reconnaissance by utilizing Windows Management Instrumentation (WMI) to collect system data, generate a unique identifier for the infected device, and store it in the registry. It specifically targets cryptocurrency wallet extensions and extracts credential information by accessing the user’s local state and login data from Chrome’s directories.

For command-and-control communications, StilachiRAT employs obfuscated C2 server addresses and randomly selects ports for communication while checking for processes like tcpview.exe to prevent detection. Furthermore, the malware uses persistence techniques, such as running watchdog threads to monitor essential files and ensure they remain intact by recreating them if deleted.

Mitigation Strategies and Suspicious Activity Detection

To combat malware like StilachiRAT, it is vital to implement several protective measures, including downloading software from legitimate sources and utilizing browsers that offer advanced protection like Microsoft Edge. Organizations are encouraged to enable Safe Links and Safe Attachments in Office 365 to shield against phishing attacks and malicious links. Activating network protection in Microsoft Defender for Endpoint further mitigates risks by blocking access to harmful domains.

Security measures also include enabling tamper protection, executing endpoint detection and response in block mode, and actively monitoring for suspicious process behavior. Users should be aware of common persistence indicators and modify system settings accordingly to thwart potential installations of malicious services.

Conclusion and Ongoing Research

The revelation of StilachiRAT underscores the ever-evolving nature of cyber threats. Microsoft remains vigilant in monitoring these developments and providing necessary insights to its users for effective detection and response. For more about these findings, Microsoft encourages users to explore related resources and the latest security research through its blog.