New RAT malware used for crypto theft, reconnaissance


​Microsoft has discovered a new remote access trojan (RAT) that employs “sophisticated techniques” to avoid detection, ensure persistence, and extract sensitive information data.

While the malware (dubbed StilachiRAT) hasn’t yet reached widespread distribution, Microsoft says it decided to publicly share indicators of compromise and mitigation guidance to help network defenders detect this threat and reduce its impact.

Due to the limited instances of StilachiRAT being deployed in the wild, Microsoft has yet to attribute this malware to a specific threat actor or associate it with a particular geolocation.

“In November 2024, Microsoft Incident Response researchers uncovered a novel remote access trojan (RAT) we named StilachiRAT that demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data,” Microsoft said.

“Analysis of the StilachiRAT’s WWStartupCtrl64.dll module that contains the RAT capabilities revealed the use of various methods to steal information from the target system, such as credentials stored in the browser, digital wallet information, data stored in the clipboard, as well as system information.

Among this new RAT’s features, Redmond highlighted reconnaissance capabilities like collecting system data, including hardware identifiers, camera presence, active Remote Desktop Protocol (RDP) sessions, and running GUI-based applications to profile targeted systems.

After being deployed on compromised systems, attackers can use StilachiRAT to siphon digital wallet data by scanning the configuration information of 20 cryptocurrency wallet extensions, including Coinbase Wallet, Phantom, Trust Wallet, Metamask, OKX Wallet, Bitget Wallet, and others.

The malware also extracts credentials saved in the Google Chrome local state file with the help of Windows APIs and monitors clipboard activity for sensitive information like passwords and cryptocurrency keys while tracking active windows and applications.

Once launched as a standalone process or a Windows service, the RAT gains and maintains persistence via the Windows service control manager (SCM) and ensures it gets reinstalled automatically using watchdog threads that monitor the malware’s binaries and recreate them if they’re no longer active.

StilachiRAT watchdog thread

StilachiRAT can also monitor active RDP sessions by capturing information from foreground windows and cloning security tokens to impersonate logged-in users, which can let the attackers move laterally within a victim’s networks after deploying the RAT malware on RDP servers that often host administrative sessions.

“The malware obtains the current session and actively launches foreground windows as well as enumerates all other RDP sessions,” Microsoft said. “For each identified session, it will access the Windows Explorer shell and duplicate its privileges or security token. The malware then gains capabilities to launch applications with these newly obtained privileges.”

The RAT’s capabilities also include extensive detection evasion and anti-forensics features, like the ability to clear event logs and check for signs that it’s running in a sandbox to block malware analysis attempts. Even if tricked into running in a sandbox, StilachiRAT’s Windows API calls are encoded as “checksums that are resolved dynamically at runtime” and further obfuscated to slow down analysis.

Last but not least, Microsoft says StilachiRAT allows command execution and potential SOCKS-like proxying using commands from a command-and-control (C2) server to the infected devices, which can let the threat actors reboot the compromised system, clear logs, steal credentials, execute applications, and manipulate system windows.

Other commands are designed to “suspend the system, modify Windows registry values, and enumerate open windows.”

To reduce the attack surface this malware can use to compromise a targeted system, Microsoft advises downloading software only from official websites and using security software that can block malicious domains and email attachments.

Red Report 2025

Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.



Source link