Microsoft Incident Response identified a new Remote Access Trojan (RAT) named StilachiRAT, which demonstrates advanced stealth techniques, persistence mechanisms, and data exfiltration capabilities. This malware is designed to evade detection, maintain long-term access to infected systems, and steal sensitive information, particularly focusing on cryptocurrency wallets and credentials.
Severity Level: High
KEY CAPABILITIES OF STILACHIRAT
1. System Reconnaissance:
- Collects detailed system information, including OS type, hardware identifiers, & active applications.
- Monitors RDP sessions, enabling potential lateral movement within networks.
2. Credential Theft:
- Extracts and decrypts saved login credentials from Google Chrome.
- Retrieves encryption keys and login data to gain access to stored passwords.
3. Cryptocurrency Wallet Targeting:
- Scans for 20 different cryptocurrency wallet extensions in Google Chrome.
- Targets wallets such as MetaMask, Trust Wallet, Coinbase Wallet, & TronLink to steal digital assets
4. Command-and-Control (C2) Communication:
- Establishes a connection to remote servers via TCP ports 53, 443, or 16000.
- Communicates with the C2 domain app[.]95560[.]cc and IP 194.195.89[.]47.
- Delays the initial connection by two hours to evade detection.
5. Persistence and Evasion Techniques:
- Achieves persistence by using the Windows Service Control Manager (SCM) & watchdog threads.
- Actively monitors and reinstalls itself if removed from the system.
- Implements anti-forensics techniques, including event log clearing and sandbox evasion.
6. Clipboard and Data Collection:
- Continuously monitors clipboard activity to extract sensitive information like passwords and cryptocurrency keys.
- Scans user directories (%USERPROFILE%\Desktop, %USERPROFILE%\Recent) for valuable files.
7. Remote Execution and System Manipulation:
- Receives and executes commands from the C2 server, including system reboot, registry modification, and launching applications.
- Can impersonate users in RDP sessions, allowing unauthorized access and potential privilege escalation.
Recommendations:
- In some cases, RATs can masquerade as legitimate software or software updates. Always download software from the official website of the software developer or from reputable sources.
- Encourage users to use Microsoft Edge & other web browsers that support SmartScreen, which identifies & blocks phishing sites, scam sites, & sites that host malware.
- Turn on Safe Links and Safe Attachments for Office 365.
- The malware can be run both as a Windows Service or a standalone component. To identify persistence and suspicious services, monitor for the following event IDs:
- Event ID 7045 – a new service was installed on the system. Monitor for suspicious services.
- Event ID 7040 – start type of a service is changed (boot, on-request). Boot may be a vector for the RAT to persist during a system reboot. On request indicates that the process must request the SCM to start the service.
- Correlated with Event ID 4697 – a service was installed on the system (Security log)
- To identify potential event log clearing, monitor for the following event IDs: Event ID 1102 (Security log) and Event ID 104 (System log).
- Disable password auto-saving in web browsers to prevent credential theft.
- Use application whitelisting (e.g., Microsoft AppLocker) to prevent unauthorized executables.
- Block the IOCs at their respective controls
SOURCES:
- https://www.virustotal.com/gui/collection/6f5b7bd02b1ff77095227b8def09cfa4a8175280fcc2d69c62a211237ecc5e38/iocs
- https://www.microsoft.com/en-us/security/blog/2025/03/17/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft/
Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.
No related posts found.