Summary:
Microsoft has uncovered details of a novel remote access trojan (RAT), dubbed StilachiRAT, which it uncovered in November, 2024. For its part, StilachiRAT employs sophisticated techniques to evade detection, maintain persistence on targeted environments, and exfiltrate sensitive information. It conducts system reconnaissance by gathering detailed information, including OS details, hardware IDs, camera presence, active RDP sessions, and running GUI applications. It also scans for configuration data of 20 cryptocurrency wallet extensions on Google Chrome while extracting and decrypting saved credentials from the browser, accessing usernames and passwords. Additionally, StilachiRAT supports command execution enabling operators to perform system reboots, clear logs, edit the registry, and execute malicious applications. StilachiRAT achieves persistence through the Windows service control manager and uses watchdog threads to ensure self-reinstatement if removed. It monitors RDP sessions, captures active window data, and impersonates users for lateral movement. The RAT also monitors the clipboard for sensitive data like passwords and cryptocurrency keys while tracking active windows and applications. Finally, it employs anti-forensic tactics by clearing event logs, detecting analysis tools, and using sandbox-evading techniques to avoid detection.

Security Officer Comments:
StilachiRAT has yet to be attributed to a known threat group. According to Microsoft, StilachiRAT is not currently exhibiting widespread distribution, suggesting that its deployment is still relatively limited. However, given the sophisticated nature of its operations, such as its ability to gather comprehensive system information, exfiltrate sensitive data, and maintain persistence, it is highly likely that we will see an increase in campaigns distributing this RAT in the future. Overall, its capability to monitor and steal sensitive data, including login credentials and cryptocurrency keys, coupled with its ability to evade detection through anti-forensic tactics, makes it an appealing tool for cybercriminals.

Suggested Corrections:
Malware like StilachiRAT can be installed through various vectors. The following mitigations can help prevent this type of malware from infiltrating the system and reduce the attack surface:

• In some cases, RATs can masquerade as legitimate software or software updates. Always download software from the official website of the software developer or from reputable sources.
• Encourage users to use Microsoft Edge and other web browsers that support SmartScreen, which identifies and blocks malicious websites, including phishing sites, scam sites, and sites that host malware.
• Turn on Safe Links and Safe Attachments for Office 365. In organizations with Microsoft Defender for Office 365, Safe Links scanning protects your organization from malicious links that are used in phishing and other attacks. Specifically, Safe Links provides URL scanning and rewriting of inbound email messages during mail flow, and time-of-click verification of URLs and links in email messages, Microsoft Teams, and supported Office 365 apps. Safe Attachments provides an additional layer of protection for email attachments that have already been scanned by anti-malware protection in Exchange Online Protection (EOP).
• Enable network protection in Microsoft Defender for Endpoint to prevent applications or users from accessing malicious domains and other malicious content on the internet. You can audit network protection in a test environment to view which apps would be blocked before enabling network protection.

Link(s):
https://www.microsoft.com/en-us/sec...ystem-reconnaissance-to-cryptocurrency-theft/