Microsoft has recently issued a warning about a novel remote access trojan (RAT) known as StilachiRAT, which poses significant threats to system security by stealing sensitive data, including credentials and cryptocurrency information.
This sophisticated malware was discovered by Microsoft Incident Response researchers in November 2024 and is notable for its advanced evasion techniques and persistence mechanisms.
StilachiRAT is designed to gather extensive system information, including operating system details, hardware identifiers, and camera presence.
It targets Google Chrome to extract saved credentials and digital wallet data, specifically focusing on cryptocurrency wallet extensions.
The malware establishes communication with command-and-control (C2) servers using TCP ports 53, 443, or 16000, allowing for remote command execution and potential SOCKS-like proxying.
It also monitors Remote Desktop Protocol (RDP) sessions, capturing active window information and impersonating users, which could enable lateral movement within networks.
StilachiRAT employs anti-forensic tactics such as clearing event logs and detecting analysis tools to evade detection.
It uses API-level obfuscation techniques to conceal its use of Windows APIs, making manual analysis more complex.
The malware can launch various commands from the C2 server, including system reboots, log clearing, and application execution.
Its persistence mechanisms involve running as a Windows service or standalone component, with watchdog threads ensuring its self-reinstatement if removed.
To protect against StilachiRAT, Microsoft recommends implementing robust security measures.
Users should only download software from official or reputable sources and utilize browsers like Microsoft Edge that support SmartScreen for identifying malicious websites.
Enabling features such as Safe Links and Safe Attachments in Office 365 can also help prevent attacks.
Network protection in Microsoft Defender for Endpoint should be activated to block access to malicious domains.
Additionally, enabling tamper protection and running endpoint detection in block mode can help block malicious artifacts.
Microsoft Defender Antivirus detects StilachiRAT as TrojanSpy:Win64/Stilachi.A, and customers can use Microsoft Defender XDR to monitor for suspicious activity and implement automated response strategies.
Microsoft continues to monitor the evolving threat landscape and advises users to remain vigilant against such sophisticated threats.
The company emphasizes the importance of comprehensive security solutions and regular updates to mitigate the risks associated with malware like StilachiRAT.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
A sophisticated phishing campaign is currently targeting cryptocurrency investors with fraudulent emails claiming to be…
Electromagnetic (EM) side-channel analysis has emerged as a significant threat to cryptographically secured devices, particularly…
A novel defense strategy, MirrorGuard, has been proposed to enhance the security of large language…
A recent variant of the ClearFake malware framework has been identified, leveraging fake reCAPTCHA and…
A recent threat intelligence report highlights the emergence of a sophisticated cyberattack technique known as…
In a recent cybersecurity threat, hackers have been using virtual hard disk image files (.vhd)…