Microsoft Uncovers Sophisticated StilachiRAT Malware

Microsoft Incident Response researchers have discovered a novel remote access trojan (RAT) named StilachiRAT, demonstrating advanced techniques to evade detection, persist in target environments, and exfiltrate sensitive data.

Analysis of StilachiRAT’s capabilities reveals a wide range of malicious functionalities, including:

• System Reconnaissance: StilachiRAT collects comprehensive system information, such as OS details, hardware identifiers, and active RDP sessions, enabling detailed profiling of the target system. “Collects comprehensive system information, including operating system (OS) details, hardware identifiers, camera presence, active Remote Desktop Protocol (RDP) sessions, and running graphical user interface (GUI) applications, allowing detailed profiling of the target system.”

• Digital Wallet Targeting: The malware scans for configuration data of 20 different cryptocurrency wallet extensions for the Google Chrome browser. “Scans for configuration data of 20 different cryptocurrency wallet extensions for the Google Chrome browser.”

• Credential Theft: StilachiRAT extracts and decrypts saved credentials from Google Chrome, gaining access to usernames and passwords stored in the browser. “Extracts and decrypts saved credentials from Google Chrome, gaining access to usernames and passwords stored in the browser.”

• Command-and-Control (C2) Connectivity: The RAT establishes communication with remote C2 servers using TCP ports 53, 443, or 16000, enabling remote command execution. “Establishes communication with remote C2 servers using TCP ports 53, 443, or 16000, enabling remote command execution and potentially SOCKS like proxying.”

• Command Execution: StilachiRAT supports a variety of commands from the C2 server, including system reboots, log clearing, registry manipulation, application execution, and system suspension. “Supports a variety of commands from the C2 server, including system reboots, log clearing, registry manipulation, application execution, and system suspension.”

• Persistence Mechanisms: The malware achieves persistence through the Windows service control manager (SCM) and uses watchdog threads to ensure self-reinstatement if removed. “Achieves persistence through the Windows service control manager (SCM) and uses watchdog threads to ensure self-reinstatement if removed.”

• RDP Monitoring: StilachiRAT monitors RDP sessions, capturing active window information and impersonating users, allowing for potential lateral movement within networks. “Monitors RDP sessions, capturing active window information and impersonating users, allowing for potential lateral movement within networks.”

• Clipboard and Data Collection: The malware continuously monitors clipboard content, actively searching for sensitive data like passwords and cryptocurrency keys, while tracking active windows and applications. “Continuously monitors clipboard content, actively searching for sensitive data like passwords and cryptocurrency keys, while tracking active windows and applications.”

• Anti-Forensics and Evasion: StilachiRAT employs anti-forensic tactics by clearing event logs, detecting analysis tools, and implementing sandbox-evading behaviors to avoid detection. “Employs anti-forensic tactics by clearing event logs, detecting analysis tools, and implementing sandbox-evading behaviors to avoid detection.”

StilachiRAT gathers extensive system information using WMI queries. The malware creates a unique identification on the infected device derived from the system’s serial number and the attackers’ public RSA key. This information is stored in the registry.

The RAT targets specific cryptocurrency wallet extensions for the Google Chrome browser by accessing the settings in the registry key: \SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings.

To steal credentials, StilachiRAT extracts Google Chrome’s encryption_key from the local state file in a user’s directory and uses Windows APIs to decrypt the master key, allowing access to stored credentials in the password vault.

StilachiRAT uses two configured addresses for its C2 server, with one stored in obfuscated form and the other as a binary format IP address. The communication channel is established using TCP ports 53, 443, or 16000, selected randomly. The malware also employs anti-detection techniques such as delaying the initial connection by two hours.

StilachiRAT can be launched as a Windows service or a standalone component, with mechanisms in place to ensure its persistence. The malware uses a watchdog thread to monitor the presence of EXE and DLL files and can recreate them if absent.

The RAT exhibits anti-forensic behavior by clearing event logs, checking for analysis tools, and implementing sandbox-evading behaviors. It also employs API-level obfuscation techniques to impede manual analysis, such as concealing its use of Windows APIs.

StilachiRAT can execute various commands received from the C2 server, including:

• Displaying dialog boxes with HTML content.

• Clearing event logs.

• Rebooting the system.

• Establishing new outbound network connections.

• Accepting incoming network connections.

• Terminating connections and disabling the Windows service.

• Initiating applications.

• Enumerating windows to access specific GUI applications.

• Suspending the system.

• Stealing Chrome credentials.

Microsoft has not yet attributed StilachiRAT to a specific threat actor or geolocation. Microsoft is sharing mitigation guidance, detection details, and hunting queries to help defenders protect their networks and recommends implementing security hardening measures to prevent initial compromise.

Related Posts:

• During Trump-Kim summit, Singapore is under cyber attack and 88% came from Russia
• $20 Million Drained and Returned: Government Wallet Under Scrutiny