Microsoft this week shared details about StilachiRAT, a persistent piece of malware that enables cybercriminals to steal sensitive data from compromised systems.
The tech giant’s incident response team first spotted StilachiRAT (this name was given by Microsoft) in November 2024. Although it does not currently appear to be widely distributed, the company wanted to warn users and organizations.
Microsoft has not yet linked StilachiRAT, described as a remote access trojan (RAT), to any known threat group or any specific country.
The company did not specify how the RAT was being distributed but noted that such threats could be installed through multiple attack vectors, including trojanized software, malicious websites, and email.
Once it is deployed on a device, the malware gathers information about the system to enable detailed profiling. StilachiRAT then scans the system for configuration data linked to 20 different cryptocurrency wallet Chrome extensions.
RAT extracts usernames and passwords stored in Chrome and continuously monitors the clipboard contents for valuable information such as credentials and cryptocurrency keys.
Malware can also monitor RDP sessions, which could allow an attacker to move laterally within the compromised network.
According to Microsoft, StilachiRAT can execute various commands, including rebooting the system, clearing logs, manipulating registry entries, and executing applications.
For persistence, the malware uses the Windows Service Control Manager and a watchdog thread to ensure that it is restored in case of deletion.
The RAT also has anti-forensic and evasion capabilities.
“Stillachirat exhibits anti-forensics behavior by clearing event logs and examining certain system conditions to avoid detection. This includes looping checks for analysis tools and sandbox timers, which prevent its full activation in the virtual environments commonly used for malware analysis,” Microsoft explained.
“Additionally, Windows API calls are obfuscated in several ways and use custom algorithms to encode many text strings and values. This significantly slows down analysis time as extrapolating to higher-level logic and code design becomes a more complex endeavor,” it added. “The malware uses API-level obfuscation techniques to circumvent manual analysis, specifically by hiding its use of the Windows API.”
