A newly identified remote access Trojan, known as StilachiRAT, is being tracked by Microsoft researchers. This malware exemplifies the growing trend of threat actors integrating diverse malicious functionalities into a single tool to maximize their impact. StilachiRAT is equipped with capabilities for comprehensive system reconnaissance, data collection, cryptocurrency theft, and credential extraction, while also employing techniques to evade detection and maintain persistence on compromised systems.

StilachiRAT: A Versatile Threat

First observed in November 2024, StilachiRAT has not yet seen widespread distribution. However, its stealth features make it a significant threat that enterprise security teams must acknowledge and defend against. Microsoft has emphasized the importance of monitoring the delivery vectors used in these attacks, as the malware can be installed through various means. Implementing robust security-hardening measures is crucial to prevent initial compromise.

Comprehensive Data Collection

StilachiRAT acts as a Swiss Army knife for cybercriminals, capable of gathering extensive data such as operating system details, hardware identifiers, BIOS serial numbers, camera presence, and active remote desktop protocol (RDP) sessions. The malware is also designed for credential theft, extracting and decrypting usernames and passwords stored in Google Chrome. It targets cryptocurrency assets by scanning up to 20 wallet extensions within the Chrome browser, including Coinbase, Fractal, Phantom, Manta, and Bitget.

  • Credential Theft: Extracts and decrypts stored usernames and passwords.
  • Cryptocurrency Targeting: Scans for multiple wallet extensions in Chrome.

Stealth and Persistence

StilachiRAT is adept at avoiding detection. It communicates with its command-and-control (C2) servers using commonly used TCP ports like Port 53 and 443, which are typically associated with DNS and HTTPS traffic, respectively. These ports are often exploited by malware to conceal malicious activities and receive commands from a C2 server. StilachiRAT can execute commands such as system reboots, registry manipulation, log clearing, and deploying additional malicious payloads.

Advanced Evasion Techniques

The malware employs a dual deployment strategy for persistence, operating either as a Windows service or a standalone component, with self-protection mechanisms integrated into both configurations. A watchdog thread monitors the presence of the executable and dynamic link library (DLL) files used by the malware, recreating them if they are absent. If the Windows service is disabled or removed, StilachiRAT can reconstruct it by manipulating registry entries and using the Service Control Manager (SCM) to reinitiate the service.

  • Command-and-Control Communication: Uses common ports to hide activity.
  • Persistence Mechanisms: Dual deployment as a service or standalone component.

Implications for Cybersecurity

StilachiRAT highlights the increasing sophistication of remote access Trojans, which now incorporate a wide range of malicious capabilities within a single deployment package. This trend presents significant challenges for security defenders, as these tools combine various attack vectors and persistence mechanisms. The malware's ability to steal extensive data and maintain persistence, such as using watchdog threads for self-reinstatement, poses a considerable threat to cybersecurity.

Recommendations for Defense

To protect against threats like StilachiRAT, Microsoft recommends several measures. These include enabling Safe Links and Safe Attachments for Office 365 to guard against malicious links and attachments, running endpoint detection and response mechanisms in block mode, turning on protections in Microsoft Defender against potentially unwanted applications (PUAs), and using web browsers that support automatic identification and blocking of malicious websites.

  • Enable Safe Links and Attachments: Protects against phishing and malicious links.
  • Use Endpoint Detection: Run in block mode for enhanced security.
The link has been copied!