Microsoft discovered a new remote access trojan (RAT), dubbed StilachiRAT, that uses sophisticated techniques to avoid detection.
In November 2024, Microsoft researchers discovered StilachiRAT, a sophisticated remote access trojan (RAT) designed for stealth, persistence, and data theft. Analysis of its WWStartupCtrl64.dll module revealed that the malware supports sophisticated functionalities to steal credentials from browsers, digital wallet data, clipboard content, and system information. The researchers pointed out that StilachiRAT employs advanced evasion methods.
Microsoft has yet to attribute the malware to a specific threat actor or geolocation, however, the IT giant believes that it was not widespread at this time.
“StilachiRAT gathers extensive system information, including OS details, device identifiers, BIOS serial numbers, and camera presence.” reads the analysis published by Microsoft. “Information is collected through the Component Object Model (COM) Web-based Enterprise Management (WBEM) interfaces using WMI Query Language (WQL).”
The RAT maintains persistence through the Windows service control manager (SCM) and employs watchdog threads to automatically reinstate itself if removed.
Once deployed, StilachiRAT scans configuration data from tens of cryptocurrency wallet extensions to steal digital assets. The malware targets the following extensions: Bitget Wallet, Trust Wallet, TronLink, MetaMask, TokenPocket, BNB Chain Wallet, OKX Wallet, Sui Wallet, Braavos – Starknet Wallet, Coinbase Wallet, Leap Cosmos Wallet, Manta Wallet, Keplr, Phantom, Compass Wallet for Sei, Math Wallet, Fractal Wallet, Station Wallet, ConfluxPortal, Plug.
StilachiRAT can extract Chrome’s encrypted encryption_key and decrypts it using Windows APIs to access stored credentials. It retrieves login data from SQLite databases and sends it to the attacker. The malware communicates with a C2 server via obfuscated domains and binary-formatted IPs, using random TCP ports (53, 443, or 16000). The malicious code attempts to evade detection by delaying the connection by two hours and terminating if tcpview.exe is present. Upon connection, it sends a list of active windows to the attacker.
The RAT monitors RDP sessions for active windows and user impersonation, enabling lateral movement.
StilachiRAT evades detection by clearing logs, checking for analysis tools, and obfuscating Windows API calls. It encodes API names as checksums, dynamically resolving them at runtime while using XOR-masked lookup tables to hinder analysis.
The RAT executes various C2 commands, including system reboot, log clearing, credential theft, application execution, and registry modifications. It can display dialog boxes, establish or accept network connections, terminate itself, suspend the system, and enumerate open windows. Additionally, the malware has a dedicated command to steal Google Chrome passwords, highlighting its cyber espionage and system manipulation capabilities.
The report includes mitigations along with indicators of compromise (IoCs).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, malware)