Microsoft Incident Response researchers discovered StilachiRAT, a sophisticated remote access trojan (RAT) designed to evade detection, maintain persistence, and exfiltrate sensitive data. The malware targets various data, including browser credentials, digital wallet details, clipboard contents, and system data, using the WWStartupCtrl64.dll module.
Microsoft has yet to attribute the RAT to a specific threat actor. StilachiRAT gathers detailed system information, including OS data, device identifiers, and BIOS serial numbers, and uses WMI Query Language to collect this information. It specifically targets Google Chrome’s cryptocurrency wallet extensions and decrypts Chrome's master encryption key to access stored credentials.
StilachiRAT can operate as both a Windows service and standalone component, employing watchdog mechanisms to ensure persistence. It also monitors RDP sessions, impersonates users by duplicating security tokens, and can launch applications with elevated privileges. The malware tracks user activity by monitoring GUI windows, installed software, and clipboard data, sending this information to its command-and-control (C2) server.
To avoid detection, StilachiRAT employs anti-forensic techniques, such as clearing event logs and detecting sandbox environments. It is capable of executing a wide range of commands, including credential theft, system manipulation, and espionage.
