Tuesday, March 18, 2025
Homecyber securityMicrosoft Warns of StilachiRAT Stealing Remote Desktop Protocol Session Data

Microsoft Warns of StilachiRAT Stealing Remote Desktop Protocol Session Data

Published on

SIEM as a Service

Follow Us on Google News

Microsoft has recently issued a warning about a novel remote access trojan (RAT) known as StilachiRAT, which poses significant threats to system security by stealing sensitive data, including credentials and cryptocurrency information.

This sophisticated malware was discovered by Microsoft Incident Response researchers in November 2024 and is notable for its advanced evasion techniques and persistence mechanisms.

Key Capabilities of StilachiRAT

StilachiRAT is designed to gather extensive system information, including operating system details, hardware identifiers, and camera presence.

It targets Google Chrome to extract saved credentials and digital wallet data, specifically focusing on cryptocurrency wallet extensions.

The malware establishes communication with command-and-control (C2) servers using TCP ports 53, 443, or 16000, allowing for remote command execution and potential SOCKS-like proxying.

StilachiRAT
Start the malware via SCM

It also monitors Remote Desktop Protocol (RDP) sessions, capturing active window information and impersonating users, which could enable lateral movement within networks.

StilachiRAT employs anti-forensic tactics such as clearing event logs and detecting analysis tools to evade detection.

It uses API-level obfuscation techniques to conceal its use of Windows APIs, making manual analysis more complex.

The malware can launch various commands from the C2 server, including system reboots, log clearing, and application execution.

Its persistence mechanisms involve running as a Windows service or standalone component, with watchdog threads ensuring its self-reinstatement if removed.

Mitigation Strategies

To protect against StilachiRAT, Microsoft recommends implementing robust security measures.

Users should only download software from official or reputable sources and utilize browsers like Microsoft Edge that support SmartScreen for identifying malicious websites.

Enabling features such as Safe Links and Safe Attachments in Office 365 can also help prevent attacks.

Network protection in Microsoft Defender for Endpoint should be activated to block access to malicious domains.

StilachiRAT
Access user’s files

Additionally, enabling tamper protection and running endpoint detection in block mode can help block malicious artifacts.

Microsoft Defender Antivirus detects StilachiRAT as TrojanSpy:Win64/Stilachi.A, and customers can use Microsoft Defender XDR to monitor for suspicious activity and implement automated response strategies.

Microsoft continues to monitor the evolving threat landscape and advises users to remain vigilant against such sophisticated threats.

The company emphasizes the importance of comprehensive security solutions and regular updates to mitigate the risks associated with malware like StilachiRAT.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

MirrorGuard: Adaptive Defense Mechanism Against Jailbreak Attacks for Secure Deployments

A novel defense strategy, MirrorGuard, has been proposed to enhance the security of large...

New ClearFake Variant Uses Fake reCAPTCHA to Deploy Malicious PowerShell Code

A recent variant of the ClearFake malware framework has been identified, leveraging fake reCAPTCHA...

New BitM Attack Enables Hackers to Hijack User Sessions in Seconds

A recent threat intelligence report highlights the emergence of a sophisticated cyberattack technique known...

Hackers Exploit Hard Disk Image Files to Deploy VenomRAT

In a recent cybersecurity threat, hackers have been using virtual hard disk image files...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

MirrorGuard: Adaptive Defense Mechanism Against Jailbreak Attacks for Secure Deployments

A novel defense strategy, MirrorGuard, has been proposed to enhance the security of large...

New ClearFake Variant Uses Fake reCAPTCHA to Deploy Malicious PowerShell Code

A recent variant of the ClearFake malware framework has been identified, leveraging fake reCAPTCHA...

New BitM Attack Enables Hackers to Hijack User Sessions in Seconds

A recent threat intelligence report highlights the emergence of a sophisticated cyberattack technique known...