Microsoft Incident Response analysts discovered a new Remote Access Trojan (RAT) named StilachiRAT. The malware steals sensitive credentials and targets cryptocurrency wallets. It is particularly skilled at avoiding detection and has various features, including advanced persistence capabilities and command-and-control protocols. StilachiRAT monitors Google Chrome local data and scans the clipboard for sensitive information. According to Microsoft, the malware has various anti-forensics features, such as clearing logs and checking whether it is contained in a sandbox. Microsoft does not know who is behind the malware but insists that more knowledge about the RAT will protect consumers. “In November 2024”, according to the Microsoft security blog, “Microsoft Incident Response researchers uncovered a novel remote access trojan (RAT) we named StilachiRAT that demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data”. “Analysis of the StilachiRAT’s WWStartupCtrl64.dll module that contains the RAT capabilities revealed the use of various methods to steal information from the target system, such as credentials stored in the browser, digital wallet information, data stored in the clipboard, as well as system information”. StilachiRAT can scan the network and travel between devices. The malware pretends to be an authorised Microsoft service, thus thwarting attempts to discover what it is doing. It can also impersonate users, gain access to systems, and use such credentials to attack more systems. When installed on a compromised system, the malware can scan configuration data from 20 different cryptocurrency wallets, including the Coinbase wallet, Metamask wallet, and OKX wallet. According to the Microsoft blog, “The communications channel “is established using TCP ports 53, 443, or 16000, selected randomly. Additionally, the malware checks for the presence of tcpview.exe and will not proceed if one is present.“ “It also delays initial connection by two hours, presumably to evade detection. Once connected, a list of active windows is sent to the server”. StilachiRAT then gains “persistence” by using Windows Service Control Manager (SCM) to monitor the malware’s binaries and reinstall them if they become inactive. The malware runs the programs using either a standalone process or a Windows service. “Precomputed API checksums,” according to the Microsoft blog, “are stored in multiple lookup tables, each masked with an XOR value. During the launch, the malware selects the appropriate table based on the hashed API name, applies the correct XOR mask to decode the value, and dynamically resolves the corresponding Windows API function”. “The resolved function pointer is then cached, but with an additional XOR mask applied, preventing straightforward memory scans from identifying API references.” StilachiRAT also targets RDP servers to mimic users and spread throughout the network. The malware can clone security tokens and monitor data from open windows, aiming to remain undetected for as long as possible. Microsoft may use this information further to replace Chrome with Edge, their in-house browser. They claim that Edge can better protect your data by using SmartScreen to filter malicious websites, malware, and phishing attempts. Google executives have noticed the campaign aims to lure Chrome users to Edge. It is good to understand the corporate interests that underlie a security warning, especially from a company like Microsoft, which is currently fighting a browser war against Chrome. They may further try to patch their browser without sharing information with Chrome to secure more market dominance.
