Microsoft has recently issued a warning about a novel remote access trojan (RAT) known as StilachiRAT, which has been discovered to possess sophisticated capabilities for evading detection and stealing sensitive data.
This malware was identified by Microsoft Incident Response researchers in November 2024 and is notable for its ability to target Remote Desktop Protocol (RDP) sessions, among other functionalities.
Key Capabilities of StilachiRAT
StilachiRAT is designed to gather comprehensive system information, including details about the operating system, hardware identifiers, and active RDP sessions.
It also targets digital wallets by scanning for specific cryptocurrency wallet extensions in Google Chrome, such as MetaMask and Trust Wallet.
The malware can extract and decrypt saved credentials from Google Chrome, allowing access to usernames and passwords stored in the browser.
Additionally, it establishes communication with command-and-control (C2) servers using TCP ports 53, 443, or 16000, enabling remote command execution and potentially SOCKS-like proxying.
StilachiRAT achieves persistence through the Windows service control manager (SCM) and employs watchdog threads to ensure self-reinstatement if removed.
It monitors RDP sessions by capturing active window information and impersonating users, which could enable lateral movement within networks.
The malware continuously monitors clipboard content, searching for sensitive data like passwords and cryptocurrency keys.
It also employs anti-forensic tactics by clearing event logs and detecting analysis tools to avoid detection.
Mitigation and Detection
According to the Report, Microsoft security solutions can detect activities related to StilachiRAT attacks.
To protect networks, Microsoft advises implementing security hardening measures to prevent initial compromise.
This includes downloading software only from official sources and using browsers like Microsoft Edge that support SmartScreen for identifying malicious websites.
Additionally, enabling features like Safe Links and Safe Attachments in Office 365 can help block malicious links used in phishing attacks.
While StilachiRAT is not currently widespread, its stealth capabilities and rapid evolution in the malware ecosystem make it a significant threat that requires vigilance from defenders.
%20known%20as%20StilachiRAT,%20which%20has%20been%20discovered.){kind=link}