Microsoft Warns on StilachiRAT

---

The StilachiRAT is a highly sophisticated and recently discovered Remote Access Trojan (RAT) that has gained attention due to its stealthy operation and diverse capabilities. Designed to steal sensitive information, including credentials, cryptocurrency wallet data, and system-level details, this malware has demonstrated advanced techniques to evade detection, maintain persistence, and enable attackers to exert long-term control over infected systems.

Key Features and Capabilities of StilachiRAT

1. Advanced System Reconnaissance

StilachiRAT initiates its attack by gathering extensive details about the victim’s system, enabling the attackers to tailor their next steps effectively. Its reconnaissance capabilities include:

• System Profiling:
• Collects vital system information, such as the operating system version, CPU architecture, and hardware specifications.
• Identifies BIOS serial numbers, which may be used to uniquely fingerprint the infected device.
• Network Analysis:
• Scans for open ports and active connections to profile the network environment.
• Checks for any active Remote Desktop Protocol (RDP) sessions, which could allow attackers to hijack existing remote access.
• Application Discovery:
• Detects running GUI-based applications and other system processes, enabling attackers to identify high-value targets or applications to exploit.
• Utilizes Windows Management Instrumentation (WMI) queries and WQL (WMI Query Language) to collect system data covertly, making it challenging to detect.

2. Credential and Sensitive Data Theft

A core functionality of StilachiRAT is its ability to extract sensitive credentials and personal data from infected systems:

• Browser Credential Extraction:
• Targets stored credentials in popular browsers, such as Google Chrome, by decrypting login data from the browser’s local state file.
• Cryptocurrency Wallet Monitoring:
• Specifically searches for 20 popular cryptocurrency wallet extensions used in browsers, including:
  • MetaMask, Coinbase Wallet, Phantom, Trust Wallet, and OKX Wallet.
• Compromises cryptocurrency wallet private keys or recovery phrases to facilitate cryptocurrency theft.
• Clipboard Monitoring:
• Monitors clipboard activity for sensitive data, such as passwords or cryptocurrency wallet addresses.
• Logs and exfiltrates clipboard content to its Command-and-Control (C2) server, allowing attackers to intercept financial transactions.

3. Command-and-Control (C2) Infrastructure

StilachiRAT maintains two-way communication with its operators through a sophisticated Command-and-Control (C2) infrastructure:

• Communication Protocols:
• Leverages common TCP ports, including:
  • Port 53 (DNS) for covert data exfiltration.
  • Port 443 (HTTPS) for encrypted communication to bypass firewalls.
  • Port 16000 for arbitrary data exchanges.
• Remote Commands:
• Receives instructions from the C2 server to perform a variety of malicious activities, such as:
  • Clearing system event logs to erase evidence of its presence.
  • Executing arbitrary commands or suspending the system.
  • Modifying sensitive registry entries.
• Stealth Techniques:
• Uses encrypted payloads to avoid detection during data transmission.
• Introduces delays (e.g., waiting two hours post-infection) before initiating its connection to the C2 server, which helps it evade real-time security scans.

4. Persistence Mechanisms

To ensure it maintains long-term access to the infected system, StilachiRAT employs robust persistence strategies:

• Watchdog Threads:
• Continuously monitors its core binaries (EXE and DLL files). If any of these files are deleted, StilachiRAT immediately restores them from a hidden internal backup copy.
• Service Control Manager (SCM):
• Registers itself as a legitimate service, ensuring it starts automatically upon system reboot.
• Registry Modifications:
• Alters registry settings to embed itself deeper into the system’s startup processes.

5. Anti-Forensic and Evasion Techniques

StilachiRAT employs several strategies to evade detection and analysis:

• Log Erasure:
• Actively clears Windows event logs to minimize traces of malicious activity.
• Virtual Environment Detection:
• Identifies the presence of sandbox or virtualized environments and halts execution to avoid dynamic analysis.
• Encoded API Calls:
• Encodes its function calls to obfuscate behavior and hinder reverse engineering efforts.

Exploitation Mechanism

Initial Infection Vector

While the precise delivery methods of StilachiRAT remain under investigation, the malware is suspected to use:

• Phishing Campaigns:
• Malicious email attachments, fake updates, or social engineering are likely vectors.
• Software Vulnerability Exploitation:
• Exploitation of unpatched or vulnerable systems to gain access.
• Drive-By Downloads:
• Infecting victims through compromised websites hosting malicious scripts.

Impact of StilachiRAT

The consequences of a StilachiRAT infection are significant, posing both financial and operational risks:

Credential Theft:

• Stolen credentials can lead to:
  • Unauthorized account access.
  • Financial theft.
  • Business email compromise (BEC) attacks.

Cryptocurrency Loss:

• Compromised wallet extensions result in the theft of digital assets, often irrecoverable due to blockchain anonymity.

Lateral Network Movement:

• Leveraging RDP and cloned authentication tokens, attackers can gain access to additional systems within the network.

Mitigation and Defensive Strategies

1. Strengthening Endpoint Security

• Deploy Endpoint Detection and Response (EDR) tools to monitor for suspicious activities such as clipboard logging, unauthorized registry modifications, and encrypted C2 communications.
• Regularly update antivirus and antimalware solutions to include signatures for detecting StilachiRAT.

• Persistent infections and unauthorized command executions can disrupt normal business operations.

2. Securing Browser Data

• Minimize the storage of sensitive credentials in web browsers.
• Use secure password management tools with end-to-end encryption.
• Monitor browser extensions for unauthorized access or modifications.

3. Network Traffic Analysis

• Inspect network traffic for anomalies, especially communications using suspicious ports such as 53, 443, and 16000.
• Configure firewalls to block outgoing connections to known StilachiRAT C2 server IP addresses.

4. Regular System Audits

• Perform frequent audits of system event logs, processes, and registry keys to detect potential infections.
• Check for unauthorized services registered with the Service Control Manager (SCM).

5. Employee Awareness

• Train employees to recognize phishing emails, malicious downloads, and other social engineering tactics commonly used by attackers.
• Encourage employees to avoid clicking on links or downloading attachments from unverified sources.

6. Incident Response Planning

• Develop a robust incident response plan to contain, investigate, and recover from a StilachiRAT infection.
• Implement network segmentation to limit the spread of malware within the infrastructure.

Final Thoughts

The StilachiRAT represents a formidable cyber threat due to its advanced capabilities for reconnaissance, credential theft, and persistence. Leveraging both stealth and targeted functionality, it highlights the evolving sophistication of modern malware campaigns. Organizations must remain vigilant, proactively strengthening defenses, and adopting a multi-layered approach to prevent, detect, and mitigate the risks posed by such threats