Last but not least, Microsoft says StilachiRAT allows command execution and potential SOCKS-like proxying using commands from a command-and-control (C2) server to the infected devices, which can let the threat actors reboot the compromised system, clear logs, steal credentials, execute applications, and manipulate system windows. StilachiRAT can also monitor active RDP sessions by capturing information from foreground windows and cloning security tokens to impersonate logged-in users, which can let the attackers move laterally within a victim's networks after deploying the RAT malware on RDP servers that often host administrative sessions. "Analysis of the StilachiRAT's WWStartupCtrl64.dll module that contains the RAT capabilities revealed the use of various methods to steal information from the target system, such as credentials stored in the browser, digital wallet information, data stored in the clipboard, as well as system information. The malware also extracts credentials saved in the Google Chrome local state file with the help of Windows APIs and monitors clipboard activity for sensitive information like passwords and cryptocurrency keys while tracking active windows and applications. "In November 2024, Microsoft Incident Response researchers uncovered a novel remote access trojan (RAT) we named StilachiRAT that demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data," Microsoft said. After being deployed on compromised systems, attackers can use StilachiRAT to siphon digital wallet data by scanning the configuration information of 20 cryptocurrency wallet extensions, including Coinbase Wallet, Phantom, Trust Wallet, Metamask, OKX Wallet, Bitget Wallet, and others. Among this new RAT's features, Redmond highlighted reconnaissance capabilities like collecting system data, including hardware identifiers, camera presence, active Remote Desktop Protocol (RDP) sessions, and running GUI-based applications to profile targeted systems. To reduce the attack surface this malware can use to compromise a targeted system, Microsoft advises downloading software only from official websites and using security software that can block malicious domains and email attachments. Once launched as a standalone process or a Windows service, the RAT gains and maintains persistence via the Windows service control manager (SCM) and ensures it gets reinstalled automatically using watchdog threads that monitor the malware's binaries and recreate them if they're no longer active. Microsoft has discovered a new remote access trojan (RAT) that employs "sophisticated techniques" to avoid detection, ensure persistence, and extract sensitive information data. While the malware (dubbed StilachiRAT) hasn't yet reached widespread distribution, Microsoft says it decided to publicly share indicators of compromise and mitigation guidance to help network defenders detect this threat and reduce its impact. The RAT's capabilities also include extensive detection evasion and anti-forensics features, like the ability to clear event logs and check for signs that it's running in a sandbox to block malware analysis attempts. Due to the limited instances of StilachiRAT being deployed in the wild, Microsoft has yet to attribute this malware to a specific threat actor or associate it with a particular geolocation. "The malware obtains the current session and actively launches foreground windows as well as enumerates all other RDP sessions," Microsoft said.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Mon, 17 Mar 2025 19:00:13 +0000