Microsoft Incident Response analysts discovered a new Remote Access Trojan (RAT) named StilachiRAT. The malware steals sensitive credentials and targets cryptocurrency wallets. It is particularly skilled at avoiding detection and has various features, including advanced persistence capabilities and command-and-control protocols.
StilachiRAT monitors Google Chrome local data and scans the clipboard for sensitive information. According to Microsoft, the malware has various anti-forensics features, such as clearing logs and checking whether it is contained in a sandbox. Microsoft does not know who is behind the malware but insists that more knowledge about the RAT will protect consumers.
“In November 2024”, according to the Microsoft security blog, “Microsoft Incident Response researchers uncovered a novel remote access trojan (RAT) we named StilachiRAT that demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data”.
“Analysis of the StilachiRAT’s WWStartupCtrl64.dll module that contains the RAT capabilities revealed the use of various methods to steal information from the target system, such as credentials stored in the browser, digital wallet information, data stored in the clipboard, as well as system information”.
StilachiRAT can scan the network and travel between devices. The malware pretends to be an authorised Microsoft service, thus thwarting attempts to discover what it is doing. It can also impersonate users, gain access to systems, and use such credentials to attack more systems.
When installed on a compromised system, the malware can scan configuration data from 20 different cryptocurrency wallets, including the Coinbase wallet, Metamask wallet, and OKX wallet.
According to the Microsoft blog, “The communications channel “is established using TCP ports 53, 443, or 16000, selected randomly. Additionally, the malware checks for the presence of tcpview.exe and will not proceed if one is present.“
“It also delays initial connection by two hours, presumably to evade detection. Once connected, a list of active windows is sent to the server”.
StilachiRAT then gains “persistence” by using Windows Service Control Manager (SCM) to monitor the malware’s binaries and reinstall them if they become inactive. The malware runs the programs using either a standalone process or a Windows service.
“Precomputed API checksums,” according to the Microsoft blog, “are stored in multiple lookup tables, each masked with an XOR value. During the launch, the malware selects the appropriate table based on the hashed API name, applies the correct XOR mask to decode the value, and dynamically resolves the corresponding Windows API function”.
“The resolved function pointer is then cached, but with an additional XOR mask applied, preventing straightforward memory scans from identifying API references.”
StilachiRAT also targetMicrosoft Incident Response analysts discovered a new Remote Access Trojan (RAT) named StilachiRAT. The malware steals sensitive credentials and targets cryptocurrency wallets. It is particularly skilled at avoiding detection and has various features, including advanced persistence capabilities and command-and-control protocols.
StilachiRAT monitors Google Chrome local data and scans the clipboard for sensitive information. According to Microsoft, the malware has various anti-forensics features, such as clearing logs and checking whether it is contained in a sandbox. Microsoft does not know who is behind the malware but insists that more knowledge about the RAT will protect consumers.
“In November 2024”, according to the Microsoft security blog, “Microsoft Incident Response researchers uncovered a novel remote access trojan (RAT) we named StilachiRAT that demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data”.
“Analysis of the StilachiRAT’s WWStartupCtrl64.dll module that contains the RAT capabilities revealed the use of various methods to steal information from the target system, such as credentials stored in the browser, digital wallet information, data stored in the clipboard, as well as system information”.
StilachiRAT can scan the network and travel between devices. The malware pretends to be an authorised Microsoft service, thus thwarting attempts to discover what it is doing. It can also impersonate users, gain access to systems, and use such credentials to attack more systems.
When installed on a compromised system, the malware can scan configuration data from 20 different cryptocurrency wallets, including the Coinbase wallet, Metamask wallet, and OKX wallet.
According to the Microsoft blog, “The communications channel “is established using TCP ports 53, 443, or 16000, selected randomly. Additionally, the malware checks for the presence of tcpview.exe and will not proceed if one is present.“
“It also delays initial connection by two hours, presumably to evade detection. Once connected, a list of active windows is sent to the server”.
StilachiRAT then gains “persistence” by using Windows Service Control Manager (SCM) to monitor the malware’s binaries and reinstall them if they become inactive. The malware runs the programs using either a standalone process or a Windows service.
“Precomputed API checksums,” according to the Microsoft blog, “are stored in multiple lookup tables, each masked with an XOR value. During the launch, the malware selects the appropriate table based on the hashed API name, applies the correct XOR mask to decode the value, and dynamically resolves the corresponding Windows API function”.
“The resolved function pointer is then cached, but with an additional XOR mask applied, preventing straightforward memory scans from identifying API references.”
StilachiRAT also targetMicrosoft Incident Response analysts discovered a new Remote Access Trojan (RAT) named StilachiRAT. The malware steals sensitive credentials and targets cryptocurrency wallets. It is particularly skilled at avoiding detection and has various features, including advanced persistence capabilities and command-and-control protocols.
StilachiRAT monitors Google Chrome local data and scans the clipboard for sensitive information. According to Microsoft, the malware has various anti-forensics features, such as clearing logs and checking whether it is contained in a sandbox. Microsoft does not know who is behind the malware but insists that more knowledge about the RAT will protect consumers.
“In November 2024”, according to the Microsoft security blog, “Microsoft Incident Response researchers uncovered a novel remote access trojan (RAT) we named StilachiRAT that demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data”.
“Analysis of the StilachiRAT’s WWStartupCtrl64.dll module that contains the RAT capabilities revealed the use of various methods to steal information from the target system, such as credentials stored in the browser, digital wallet information, data stored in the clipboard, as well as system information”.
StilachiRAT can scan the network and travel between devices. The malware pretends to be an authorised Microsoft service, thus thwarting attempts to discover what it is doing. It can also impersonate users, gain access to systems, and use such credentials to attack more systems.
When installed on a compromised system, the malware can scan configuration data from 20 different cryptocurrency wallets, including the Coinbase wallet, Metamask wallet, and OKX wallet.
According to the Microsoft blog, “The communications channel “is established using TCP ports 53, 443, or 16000, selected randomly. Additionally, the malware checks for the presence of tcpview.exe and will not proceed if one is present.“
“It also delays initial connection by two hours, presumably to evade detection. Once connected, a list of active windows is sent to the server”.
StilachiRAT then gains “persistence” by using Windows Service Control Manager (SCM) to monitor the malware’s binaries and reinstall them if they become inactive. The malware runs the programs using either a standalone process or a Windows service.
“Precomputed API checksums,” according to the Microsoft blog, “are stored in multiple lookup tables, each masked with an XOR value. During the launch, the malware selects the appropriate table based on the hashed API name, applies the correct XOR mask to decode the value, and dynamically resolves the corresponding Windows API function”.
“The resolved function pointer is then cached, but with an additional XOR mask applied, preventing straightforward memory scans from identifying API references.”
StilachiRAT also target
