StilachiRAT, a new malware for stealing various types of information

A newly discovered remote access trojan, StilachiRAT, uses sophisticated tactics to avoid detection, remain persistent, and extract sensitive data.

Although this malware has yet to reach a wider audience, Microsoft has published signs of compromise and mitigation guidelines to assist network defenders in detecting and mitigating the threat.

Moreover, due to the small number of malware deployments in the wild, the tech company has yet to attribute it to any single threat actor or region.

 

The StilachiRAT has various techniques for stealing information.

 

An analysis of the StilachiRAT malware’s WWStartupCtrl64.dll module revealed that it houses the RAT capabilities and shows multiple techniques for stealing data from the target system.

Some of the malicious tools’ primary targets include system information, digital wallet information, clipboard data, and credentials saved in the browser.

Separate research also revealed the malware’s reconnaissance capabilities, such as gathering system information like hardware identifiers. It can also establish a camera presence, run active Remote Desktop Protocol (RDP) sessions, and execute GUI-based apps to profile targeted systems as some of the new RAT’s characteristics.

Furthermore, threat actors can use the trojan to siphon digital wallet data after it has been installed on infected devices by analysing the configuration data of 20 cryptocurrency wallet extensions.

The malware also uses Windows APIs to extract credentials kept in the Google Chrome local state file, monitor clipboard activities for sensitive information such as passwords and cryptocurrency keys, and track active windows and programs.

If this tool is launched as a standalone process or a Windows service, it establishes persistence using the Windows service control manager (SCM). It ensures that it is automatically reinstalled using watchdog threads that monitor the malware’s binaries and reproduce them if they are no longer active.

It can also monitor active RDP sessions by capturing data from foreground windows and cloning security tokens to impersonate logged-in users.

After installing the RAT malware on RDP servers that frequently host administrative sessions, its operators can move laterally within a compromised network.

The RAT’s capabilities include significant detection evasion and anti-forensics tools, such as the capacity to erase event logs and detect sandbox activity to prevent malware analysis attempts. Even when tricked into executing in a sandbox, StilachiRAT’s Windows API calls are encoded as checksums dynamically resolved at runtime and further obfuscated to obstruct the investigation.

Microsoft claims StilachiRAT supports command execution and potential SOCKS-like proxying via C2 server to infected devices, allowing its operators to reboot the compromised system, execute applications, clear logs, steal credentials, and manipulate system windows.