A new Windows remote access trojan (RAT), dubbed StilachiRAT, uses sophisticated techniques to avoid detection and can do tasks from reconnaissance to cryptocurrency theft.
StilachiRAT, which is not yet widely deployed and isn’t attributed to any known group of cybercriminals, also uses watchdog threads to ensure self-reinstatement if removed, says Microsoft Incident Response in its research.
When analyzing the trojan, the researchers found that it gathers extensive system information, including operating system details, device identifiers, BIOS serial numbers, and camera presence.
In addition, it targets 20 cryptocurrency wallet extensions for the Google Chrome browser, including Metamask, Coinbase wallet, Phantom, Kepler, and Trust.
Microsoft says that the malware communicates with two command and control servers (C2) and establishes communications channels over randomly selected TCP ports 53, 443, or 16000.
StilachiRAT checks if tcpview.exe is running on the system, and, if so, it halts execution to avoid detection.
According to Microsoft, the trojan also monitors Remote Desktop Protocol sessions by capturing foreground window information and duplicating security tokens to impersonate users.
“StilachiRAT collects a variety of user data, including software installation records and active applications. It monitors active graphical user interface windows, their title bar text, and file location, and sends this information to the C2 server, potentially allowing attackers to track user behavior,” the researchers say.
The trojan can also periodically monitor clipboards with targeted searches for sensitive information such as passwords, cryptocurrency keys, and potentially personal identifiers.
To stay undetected, StilachiRAT clears event logs and checks certain system conditions, including looping checks for analysis tools and sandbox timers that prevent its full activation in environments used for malware analysis.
In addition, the trojan has persistence mechanisms to ensure that it isn’t removed. It monitors whether EXE and DLL files are present and, if absent, the files can be recreated from an internal copy obtained during initialization.
Microsoft says that there are a number of ways the malicious software can masquerade as legitimate software or software updates.
To avoid being infected with the trojan, users are advised to download software only from legitimate sources. When using Microsoft 365, turn on features like Safe Links and Safe attachments, and enable network protection features.
Your email address will not be published. Required fields are markedmarked