Microsoft Incident Response has recently uncovered a new remote access trojan (RAT) known as StilachiRAT, which poses a significant threat to users by stealthily extracting a wide array of sensitive information from infected computers. This includes everything from passwords and cryptocurrency wallet details to operating system specifications and device identifiers. One of the most concerning aspects of StilachiRAT is its sophisticated self-reinstatement mechanism, which allows it to reinstall itself if removed, effectively ensuring its persistence on the infected system.
According to BleepingComputer, StilachiRAT is particularly adept at targeting digital wallets, with the capability to siphon data from various cryptocurrency platforms such as Coinbase Wallet, Phantom, Trust Wallet, Metamask, OKX Wallet, and Bitget Wallet, among others.
Capabilities of StilachiRAT
The malware exhibits advanced reconnaissance capabilities, enabling it to harvest a wealth of information from compromised PCs. This includes:
- Credentials stored in web browsers
- Clipboard data, particularly sensitive information like passwords and cryptocurrency keys
- System information and hardware identifiers
- Camera presence data
- Active Remote Desktop Protocol (RDP) sessions
- Running GUI-based applications
StilachiRAT can extract credentials from Google Chrome’s local state file using Windows APIs, monitor clipboard activity for valuable data, and track active applications. It employs the Windows service control manager (SCM) to maintain its presence, automatically reinstalling itself when it detects that its binaries are inactive.
Moreover, StilachiRAT can impersonate logged-in users to monitor active RDP sessions. By capturing information from foreground windows and cloning security tokens, attackers can navigate laterally through a victim’s network once the malware has infiltrated RDP servers typically hosting administrative sessions.
In addition to its data-stealing capabilities, StilachiRAT is designed to evade detection. It features anti-forensics mechanisms, such as clearing event logs and checking for signs of sandbox environments to thwart malware analysis attempts. If tricked into running in a sandbox, the RAT encodes its API calls to further complicate analysis efforts.
Initially discovered in November of last year, Microsoft reports that StilachiRAT has not yet achieved widespread distribution, and details regarding specific threat actors or its geographical origins remain elusive.
How to Stay Safe from StilachiRAT
To protect against the threat posed by StilachiRAT, Microsoft offers straightforward advice:
- Download software exclusively from official websites.
- Utilize robust security software capable of blocking malicious domains and email attachments.
- Install reputable antivirus software on your PC and ensure it is regularly updated.
- Be vigilant for common signs of phishing attacks, such as misspelled domain names, suspicious email attachments, or messages that create a sense of urgency.
- Refrain from clicking on unexpected links or attachments, and verify the sender’s identity through a separate communication if in doubt.
- If a domain name appears suspicious, type it directly into your browser instead of clicking on a link.
- Consider using a VPN for enhanced privacy and a password manager to safeguard your credentials.
As new malware strains emerge daily, maintaining good cyber hygiene and staying informed about the latest threats can significantly reduce the risk of falling victim to StilachiRAT and other online dangers.
