Microsoft’s Incident Response team has spotted a “sophisticated” new remote access trojan (RAT) dubbed StilachiRAT compromising targeted systems, stealing data and evading detection without raising any suspicions.
Unlike traditional malware, StilachiRAT trojan doesn’t just infiltrate systems; it maps and exploits them. It gathers detailed system information, from hardware identifiers to active RDP sessions, BIOS serial numbers, and camera presence. It also collects data on installed software, active applications, and user behaviour, which is then sent to a command-and-control (C2) server.
Targeting Browsers for Credentials, Wallets for Crypto
StilachiRAT specifically hunts for cryptocurrency wallets, scanning 20 different wallet extensions in Google Chrome to steal digital assets. It doesn’t stop there; StilachiRAT also targets sensitive credentials, extracting and decrypting stored usernames and passwords from web browsers.
What makes it even more dangerous is its ability to maintain persistence, cleverly manipulating Windows services to keep control of the infected system long-term, making it harder to detect and remove.
Command-and-Control Connectivity and Remote Execution
According to Microsoft’s blog post, StilachiRAT establishes communication with remote C2 servers using TCP ports 53, 443, or 16000, enabling remote command execution and potentially allowing attackers to move laterally within networks.
The malware supports a range of commands from the C2 server, including system reboots, log clearing, registry manipulation, application execution, and system suspension. It also employs anti-forensic tactics, such as clearing event logs and detecting analysis tools, to avoid detection.
Mitigations and Protections
Microsoft levels StilachiRAT as a sophisticated malware. Therefore, to prevent StilachiRAT infections, users are advised to download software from official sources, use web browsers that support SmartScreen, and enable Safe Links and Safe Attachments for Office 365.
Organizations can also implement various hardening guidelines, including enabling tamper protection, running endpoint detection and response in block mode, and configuring investigation and remediation in fully automated mode.
Microsoft Defender XDR customers can refer to a list of applicable detections, including TrojanSpy:Win64/Stilachi.A
, and use hunting queries to identify related activity in their networks.