Cyber Security News

Microsoft Warns of StilachiRAT Stealing Remote Desktop Protocol Session Data

Microsoft has recently issued a warning about a novel remote access trojan (RAT) known as StilachiRAT, which poses significant threats to system security by stealing sensitive data, including credentials and cryptocurrency information.

This sophisticated malware was discovered by Microsoft Incident Response researchers in November 2024 and is notable for its advanced evasion techniques and persistence mechanisms.

Key Capabilities of StilachiRAT

StilachiRAT is designed to gather extensive system information, including operating system details, hardware identifiers, and camera presence.

It targets Google Chrome to extract saved credentials and digital wallet data, specifically focusing on cryptocurrency wallet extensions.

The malware establishes communication with command-and-control (C2) servers using TCP ports 53, 443, or 16000, allowing for remote command execution and potential SOCKS-like proxying.

StilachiRATStilachiRAT
Start the malware via SCM

It also monitors Remote Desktop Protocol (RDP) sessions, capturing active window information and impersonating users, which could enable lateral movement within networks.

StilachiRAT employs anti-forensic tactics such as clearing event logs and detecting analysis tools to evade detection.

It uses API-level obfuscation techniques to conceal its use of Windows APIs, making manual analysis more complex.

The malware can launch various commands from the C2 server, including system reboots, log clearing, and application execution.

Its persistence mechanisms involve running as a Windows service or standalone component, with watchdog threads ensuring its self-reinstatement if removed.

Mitigation Strategies

To protect against StilachiRAT, Microsoft recommends implementing robust security measures.

Users should only download software from official or reputable sources and utilize browsers like Microsoft Edge that support SmartScreen for identifying malicious websites.

Enabling features such as Safe Links and Safe Attachments in Office 365 can also help prevent attacks.

Network protection in Microsoft Defender for Endpoint should be activated to block access to malicious domains.

Access user’s files

Additionally, enabling tamper protection and running endpoint detection in block mode can help block malicious artifacts.

Microsoft Defender Antivirus detects StilachiRAT as TrojanSpy:Win64/Stilachi.A, and customers can use Microsoft Defender XDR to monitor for suspicious activity and implement automated response strategies.

Microsoft continues to monitor the evolving threat landscape and advises users to remain vigilant against such sophisticated threats.

The company emphasizes the importance of comprehensive security solutions and regular updates to mitigate the risks associated with malware like StilachiRAT.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

2 hours ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

3 hours ago

GenAI Assistant DIANNA Uncovers New Obfuscated Malware

Deep Instinct’s GenAI-powered assistant, DIANNA, has identified a sophisticated new malware strain dubbed BypassERWDirectSyscallShellcodeLoader. This…

3 hours ago

Hackers Expose 184 Million User Passwords via Open Directory

A major cybersecurity incident has come to light after researcher Jeremiah Fowler discovered a publicly…

4 hours ago

New Formjacking Malware Targets E-Commerce Sites to Steal Credit Card Data

A disturbing new formjacking malware has emerged, specifically targeting WooCommerce-based e-commerce sites to steal sensitive…

4 hours ago

GitLab Duo Vulnerability Exploited to Inject Malicious Links and Steal Source Code

A security vulnerability was recently discovered in GitLab Duo, the AI-powered coding assistant integrated into…

4 hours ago