
Microsoft has identified a new remote access trojan (RAT) known as StilachiRAT, which employs advanced methods to evade detection, maintain persistence, and extract sensitive information. Although the malware has not yet achieved widespread distribution, Microsoft has released indicators of compromise and mitigation strategies to assist network defenders in detecting and reducing its impact.
At present, there are few recorded instances of StilachiRAT being deployed, and Microsoft has not linked the malware to any specific threat actor or geographical location.
“In November 2024, Microsoft Incident Response researchers uncovered a novel remote access trojan (RAT) we named StilachiRAT that demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data,” said Redmond.
The capabilities of StilachiRAT include reconnaissance functions that allow it to gather system information, such as hardware identifiers, the presence of connected cameras, active Remote Desktop Protocol (RDP) sessions, and details about running applications to build a profile of affected systems.
Malware targets cryptocurrency wallets and system credentials
Following deployment on compromised devices, the RAT can acquire data related to digital wallets by scanning the configuration information of cryptocurrency wallet extensions, including Bitget Wallet (formerly BitKeep), Trust Wallet, TronLink, MetaMask (ethereum), TokenPocket, BNB Chain Wallet, OKX Wallet, Sui Wallet, Braavos – Starknet Wallet, Coinbase Wallet, Leap Cosmos Wallet, Manta Wallet, Keplr, Phantom, Compass Wallet for Sei, Math Wallet, Fractal Wallet, Station Wallet, ConfluxPortal, and Plug.
Additionally, StilachiRAT can extract credentials saved in the Google Chrome local state file by leveraging Windows APIs. It also monitors clipboard activity for sensitive information such as passwords and cryptocurrency keys while tracking the state of active applications and windows.
To ensure persistence, the RAT can operate as a standalone process or a Windows service, leveraging the Windows service control manager (SCM) for reinstallation through watchdog threads that oversee its binaries, recreating them if they cease to function.
“The malware obtains the current session and actively launches foreground windows as well as enumerates all other RDP sessions,” said Microsoft.
StilachiRAT has been designed with capabilities for evasion and anti-forensics. It can erase event logs and assess whether it is being executed in a sandbox environment to hinder analysis efforts. In cases where it is tricked into a sandbox, the RAT’s Windows API calls are encoded as checksums that are resolved dynamically during runtime, which complicates any analysis attempts.
The RAT enables command execution and potential proxying through commands sent from a command-and-control (C2) server to the infected systems, allowing threat actors to perform actions, including rebooting the device, removing logs, and altering Windows registry settings.
To limit the exposure to this malware, Microsoft advises users to download software exclusively from official sources and implement security measures capable of blocking malicious email attachments and domains.