New StilachiRAT Uses Sophisticated Techniques to Avoid Detection
In a recent discovery, Microsoft researchers uncovered a highly sophisticated remote access trojan (RAT) designed for stealth, persistence, and data theft. The malware, dubbed StilachiRAT, has been found to employ advanced evasion methods, making it a formidable threat to users.
Uncovering the StilachiRAT Malware
StilachiRAT was discovered in November 2024, with Microsoft researchers analyzing its WWStartupCtrl64.dll module. The malware's capabilities were found to include stealing credentials from browsers, digital wallet data, clipboard content, and system information. This is made possible by the RAT's advanced functionalities, which allow it to gather extensive system information, including OS details, device identifiers, BIOS serial numbers, and camera presence.
Evasion Methods and Detection Techniques
The researchers pointed out that StilachiRAT employs several evasion methods to avoid detection. These include:
* Using Component Object Model (COM) Web-based Enterprise Management (WBEM) interfaces with WMI Query Language (WQL) to collect system information * Maintaining persistence through the Windows service control manager (SCM) * Employing watchdog threads to automatically reinstate itself if removed * Scanning configuration data from cryptocurrency wallet extensions to steal digital assets
Targets and Attack Vector
StilachiRAT targets multiple cryptocurrency wallet extensions, including Bitget Wallet, Trust Wallet, TronLink, MetaMask, TokenPocket, BNB Chain Wallet, OKX Wallet, Sui Wallet, Braavos – Starknet Wallet, Coinbase Wallet, Leap Cosmos Wallet, Manta Wallet, Keplr, Phantom, Compass Wallet for Sei, Math Wallet, Fractal Wallet, Station Wallet, ConfluxPortal, and Plug. The malware can extract Chrome's encrypted encryption_key and decrypt it using Windows APIs to access stored credentials.
Communication with the C2 Server
StilachiRAT communicates with a Command and Control (C2) server via obfuscated domains and binary-formatted IPs, using random TCP ports (53, 443, or 16000). The malicious code attempts to evade detection by delaying the connection by two hours and terminating if tcpview.exe is present. Upon connection, it sends a list of active windows to the attacker.
Lateral Movement and System Manipulation
The RAT monitors RDP sessions for active windows and user impersonation, enabling lateral movement. StilachiRAT also executes various C2 commands, including system reboot, log clearing, credential theft, application execution, and registry modifications. It can display dialog boxes, establish or accept network connections, terminate itself, suspend the system, and enumerate open windows.
Google Chrome Password Theft
The malware has a dedicated command to steal Google Chrome passwords, highlighting its cyber espionage and system manipulation capabilities.
Mitigations and Indicators of Compromise (IoCs)
Microsoft has published a report detailing the analysis of StilachiRAT, including mitigations along with indicators of compromise (IoCs). This report serves as an important resource for users seeking to protect themselves against this highly sophisticated malware.
Conclusion
StilachiRAT represents a significant threat to users due to its advanced evasion methods and capabilities. It is essential to stay informed about the latest malware threats and take proactive measures to protect yourself.