While still not widely distributed, a new Windows remote access trojan (RAT) dubbed StilachiRAT is a serious threat.
“[The malware] demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data,” Microsoft threat analysts have warned on Monday.
The StilachiRAT
StilachiRAT’s capabilities include:
- Collection of information that helps paint a picture of the target system: OS/system info, hardware identifiers, BIOS serial number, camera presence, active Remote Desktop Protocol (RDP) sessions, software installation records, and active GUI applications
- Information/credential theft: StilachiRAT can grab credentials stored in the Chrome browser, read the system’s clipboard and extracting data from it (passwords, cryptocurrency keys, and potentially personal identifiers), and target configuration data of 20 cryptocurrency wallet extensions for the Google Chrome browser (including Coinbase Wallet, MetaMask, and TronLink)
- RDP monitoring: “StilachiRAT monitors RDP sessions by capturing foreground window information and duplicating security tokens to impersonate users. This is particularly risky on RDP servers hosting administrative sessions as it could enable lateral movement within networks,” the threat analysts say
- Launching commands received from the command and control (C2) server: the malware can reboot/suspend the system, clear logs, execute apps and check which ones are open, modify Windows registry values, manipulate system windows, establish new outbound connections, and remove itself.
StilachiRAT reaches out to the C2 server via two configured addresses, but only two hours after it was installed and only if TCPView isn’t running. (TCPView is a network monitoring tool that can help spot unexpected outbound connections, and may point to the system belonging to a researcher or analyst.)
Additional anti-forensic measures employed by the malware include: clearing security logs, checking for analysis tools and the presence of a sandbox, Windows API call obfuscation (to impede manual analysis). Finally, the malware also has ways to ensure its persistence on targeted computers.
Mitigation and detection
“Microsoft has not yet attributed StilachiRAT to a specific threat actor or geolocation. Based on Microsoft’s current visibility, the malware does not exhibit widespread distribution at this time,” the analysts explained.
They also don’t know how the malware is being distributed to targets, so the general advice on how to avoid downloading and running malware applies here.
Microsoft has shared indicators of compromise and hunting queries that can help threat hunters check for evidence of presence of the malware: suspicious outbound network connections, signs of persistence, anti-forensic behavior.
