Microsoft Unveils New Remote Access Trojan with Advanced Evasion Techniques
Microsoft has identified a newly discovered remote access trojan (RAT), referred to as StilachiRAT, which utilizes advanced methods to avoid detection, maintain a foothold on affected systems, and extract sensitive information. Although StilachiRAT has not yet been widely adopted, the tech giant has chosen to publicly release indicators of compromise along with mitigation strategies, aiming to assist network defenders in identifying this threat and minimizing its potential damage. As the malware has been observed in only a limited number of cases, Microsoft has not yet linked StilachiRAT to any specific threat actor or geographical location. “In November 2024, our Incident Response team detected a new RAT we named StilachiRAT that showcases sophisticated techniques for evading detection, persisting in target environments, and exfiltrating sensitive data,” Microsoft stated.
StilachiRAT’s Capabilities Highlighted by Microsoft
Analysis of StilachiRAT’s WWStartupCtrl64.dll module, which encompasses the RAT’s functionalities, revealed multiple methods for extracting information from compromised systems. This includes acquiring stored credentials from browsers, digital wallet information, clipboard data, and various system details. Among its notable features, Microsoft pointed out the reconnaissance capabilities of StilachiRAT, which involve gathering system data, such as hardware identifiers, camera presence, active Remote Desktop Protocol (RDP) sessions, and the ability to run GUI-based applications for profiling targeted systems.
Malware Targets Cryptocurrency Wallets and Sensitive Data
Once it infiltrates a target system, StilachiRAT allows attackers to extract digital wallet information by scanning configurations of various cryptocurrency wallet extensions, including Coinbase Wallet, Phantom, Trust Wallet, Metamask, OKX Wallet, and Bitget Wallet, among others. The malware also taps into saved credentials in the Google Chrome local state file through Windows APIs and monitors clipboard activities for sensitive data, such as passwords and cryptocurrency keys, while keeping track of active windows and applications.
Persistence and Lateral Movement Features of StilachiRAT
Upon execution as either a standalone process or a Windows service, StilachiRAT establishes persistence through the Windows service control manager (SCM). It ensures that it can restart automatically using watchdog threads that keep an eye on the malware’s binaries and recreate them if they become inactive. Additionally, StilachiRAT is capable of monitoring ongoing RDP sessions by gathering data from foreground windows and cloning security tokens to impersonate logged-in users. This capability allows attackers to navigate laterally within a victim’s network after deploying the RAT on RDP servers, which frequently host administrative sessions.
Advanced Evasion and Anti-Forensics Techniques
The RAT is equipped with sophisticated evasion techniques and anti-forensics capabilities, including the ability to erase event logs and detect whether it is operating within a sandbox environment, which could indicate an attempt at malware analysis. Even if it is tricked into executing in a sandbox, StilachiRAT’s Windows API calls are encoded as checksums that are resolved dynamically at runtime, which further complicates analysis.
Command Execution and Potential Risks
Microsoft noted that StilachiRAT enables command execution and potential SOCKS-like proxying by receiving commands from a command-and-control (C2) server to the infected devices. This functionality allows threat actors to reboot compromised systems, erase logs, steal credentials, launch applications, and manipulate system windows. Other commands are specifically designed to suspend systems, alter Windows registry values, and enumerate open windows.
Preventive Measures Against StilachiRAT Attacks
To mitigate the risks associated with this malware, Microsoft recommends that users download software exclusively from official websites and implement security solutions capable of blocking malicious domains and email attachments. An analysis of 14 million malicious actions has revealed the top 10 MITRE ATT&CK techniques that are responsible for 93% of attacks, providing crucial insights on how to defend against them.
