Microsoft has identified a new, sophisticated remote access trojan (RAT) dubbed StilachiRAT, which employs advanced evasion techniques to remain undetected within target systems. First discovered in November 2024, StilachiRAT is designed to pilfer sensitive information, including browser-stored credentials, cryptocurrency wallet details, clipboard data, and comprehensive system information.
The malware operates by collecting extensive system details such as operating system specifics, BIOS serial numbers, camera availability, active Remote Desktop Protocol (RDP) sessions, and running graphical user interface (GUI) applications.
This data is gathered using Component Object Model (COM) Web-based Enterprise Management (WBEM) interfaces through WMI Query Language (WQL). Notably, StilachiRAT targets a range of cryptocurrency wallet extensions in Google Chrome, including Bitget Wallet, Trust Wallet, TronLink, MetaMask, and others.
In addition to extracting Chrome-stored credentials, StilachiRAT periodically captures clipboard content—potentially including passwords and cryptocurrency wallet information—and monitors RDP sessions by recording foreground window details.
It communicates with a remote command-and-control (C2) server, enabling the execution of various commands such as displaying dialog boxes with HTML content, initiating system shutdowns, managing network connections, launching applications, enumerating open windows, and stealing Chrome passwords.
To evade detection, StilachiRAT exhibits anti-forensic behaviors like clearing event logs and performing continuous checks for analysis tools and sandbox environments, hindering its activation in virtual settings commonly used for malware analysis. The exact method of its delivery remains uncertain, underscoring the importance for organizations to implement robust security measures to defend against such threats.
Source: The Hacker News
Analysis
While the exact delivery mechanism of StilachiRAT has yet to be identified, RATs like StilachiRAT are typically delivered exploit kits targeting software vulnerabilities and malicious software bundles from unofficial download sites. In November 2024, Field Effect observed the delivery of the AsyncRat, PureLog Stealer, and XWorm RATs via a phishing email, another common RAT delivery mechanism. In this case, the malicious email was sent to the target’s self-hosted help desk software.
Other delivery techniques include brute-force RDP attacks, drive-by downloads from compromised websites, and USB droppers that install malware when plugged into a system. RATs can also be spread through fake apps or social media links, as well as by exploiting specific software vulnerabilities or bundled within Trojans masquerading as legitimate programs. These methods rely on both social engineering and technical exploits to gain unauthorized access and install the RAT on a victim's system.
Despite StilachiRAT not yet being widely distributed, Microsoft’s decision to proactively disclose its indicators of compromise (IOCs) is great for collective cybersecurity. By identifying and sharing details about StilachiRAT early, Microsoft is giving security teams a head start in recognizing and mitigating potential threats before widespread exploitation occurs.
Proactive threat intelligence like this limits the attack surface and enables security teams to develop detection rules, adjust network monitoring, and block malicious domains or behaviors before a full-scale attack unfolds. Given StilachiRAT’s stealthy nature and ability to evade forensic analysis, early detection is critical to minimizing its potential damage.
Mitigation
Field Effect’s Security Intelligence team constantly monitor the cyber threat landscape for threats related to RATs and other potentially malicious tools. This research contributes to the timely deployment of signatures into Field Effect MDR to detect and mitigate these threats. Field Effect MDR users are automatically notified when threat-related activity is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect portal.
Related Articles