StilachiRAT: A Sophisticated Threat in the Cyber Landscape
TL;DR
- Microsoft discovered a new remote access trojan (RAT) named StilachiRAT, which employs advanced techniques for stealth, persistence, and data theft.
- The malware targets browser credentials, digital wallet data, and system information, making it a significant cybersecurity threat.
New Sophisticated Remote Access Trojan: StilachiRAT
Microsoft researchers have uncovered a new remote access trojan (RAT) dubbed StilachiRAT. This sophisticated malware is designed for stealth, persistence, and data theft. Discovered in November 2024, StilachiRAT is equipped with advanced functionalities to steal credentials from browsers, digital wallet data, clipboard content, and system information. The malware’s evasion methods make it a formidable threat in the cyber landscape1.
Advanced Evasion Techniques
StilachiRAT employs several sophisticated techniques to avoid detection:
- Persistence: The RAT maintains persistence through the Windows service control manager (SCM) and uses watchdog threads to reinstate itself if removed2.
- Data Theft: It scans configuration data from numerous cryptocurrency wallet extensions to steal digital assets. Targeted extensions include Bitget Wallet, Trust Wallet, TronLink, MetaMask, and more.
- Credential Extraction: StilachiRAT can extract Chrome’s encrypted encryption_key and decrypt it using Windows APIs to access stored credentials. It retrieves login data from SQLite databases and sends it to the attacker.
- Communication: The malware communicates with a C2 server via obfuscated domains and binary-formatted IPs, using random TCP ports (53, 443, or 16000). It delays the connection by two hours and terminates if tcpview.exe is present.
- Monitoring: StilachiRAT monitors RDP sessions for active windows and user impersonation, enabling lateral movement.
Detection Evasion
StilachiRAT evades detection through various methods:
- Log Clearing: The malware clears logs and checks for analysis tools.
- API Obfuscation: It encodes API names as checksums, dynamically resolving them at runtime while using XOR-masked lookup tables to hinder analysis.
- C2 Commands: The RAT executes various C2 commands, including system reboot, log clearing, credential theft, application execution, and registry modifications. It can display dialog boxes, establish or accept network connections, terminate itself, suspend the system, and enumerate open windows.
Mitigation and Indicators of Compromise
Microsoft’s report includes mitigations along with indicators of compromise (IoCs) to help organizations detect and defend against StilachiRAT.
Additional Resources
For further insights, check:
Conclusion
StilachiRAT represents a significant advancement in malware sophistication, highlighting the need for robust cybersecurity measures. Organizations must stay vigilant and implement comprehensive security strategies to protect against such threats.
References
-
(2025). “StilachiRAT Analysis: From System Reconnaissance to Cryptocurrency Theft”. Microsoft Security Blog. Retrieved 2025-03-18. ↩︎
-
(2025). “Service Control Manager”. Microsoft Learn. Retrieved 2025-03-18. ↩︎