Microsoft Warns of StilachiRAT Stealing Remote Desktop Protocol Session Data

Microsoft has recently issued a warning about a novel remote access trojan (RAT) known as StilachiRAT, which poses significant threats to system security by stealing sensitive data, including credentials and cryptocurrency information.

This sophisticated malware was discovered by Microsoft Incident Response researchers in November 2024 and is notable for its advanced evasion techniques and persistence mechanisms.

Key Capabilities of StilachiRAT

StilachiRAT is designed to gather extensive system information, including operating system details, hardware identifiers, and camera presence.

It targets Google Chrome to extract saved credentials and digital wallet data, specifically focusing on cryptocurrency wallet extensions.

The malware establishes communication with command-and-control (C2) servers using TCP ports 53, 443, or 16000, allowing for remote command execution and potential SOCKS-like proxying.

It also monitors Remote Desktop Protocol (RDP) sessions, capturing active window information and impersonating users, which could enable lateral movement within networks.

StilachiRAT employs anti-forensic tactics such as clearing event logs and detecting analysis tools to evade detection.

It uses API-level obfuscation techniques to conceal its use of Windows APIs, making manual analysis more complex.

The malware can launch various commands from the C2 server, including system reboots, log clearing, and application execution.

Its persistence mechanisms involve running as a Windows service or standalone component, with watchdog threads ensuring its self-reinstatement if removed.

Mitigation Strategies

To protect against StilachiRAT, Microsoft recommends implementing robust security measures.

Users should only download software from official or reputable sources and utilize browsers like Microsoft Edge that support SmartScreen for identifying malicious websites.

Enabling features such as Safe Links and Safe Attachments in Office 365 can also help prevent attacks.

Network protection in Microsoft Defender for Endpoint should be activated to block access to malicious domains.

Additionally, enabling tamper protection and running endpoint detection in block mode can help block malicious artifacts.

Microsoft Defender Antivirus detects StilachiRAT as TrojanSpy:Win64/Stilachi.A, and customers can use Microsoft Defender XDR to monitor for suspicious activity and implement automated response strategies.

Microsoft continues to monitor the evolving threat landscape and advises users to remain vigilant against such sophisticated threats.

The company emphasizes the importance of comprehensive security solutions and regular updates to mitigate the risks associated with malware like StilachiRAT.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.