Microsoft Uncovers StilachiRAT: A Sophisticated Malware Targeting Credentials and Crypto Wallets
Microsoft has identified a new remote access trojan (RAT) named StilachiRAT, which employs advanced evasion techniques to remain undetected while stealing sensitive information from compromised systems.
Microsoft has identified a new remote access trojan (RAT) named StilachiRAT, which employs advanced evasion techniques to remain undetected while stealing sensitive information from compromised systems. The malware, discovered in November 2024, is designed to extract browser credentials, cryptocurrency wallet data, clipboard contents, and system details, making it a versatile cyber espionage tool.
StilachiRAT’s Capabilities and Evasion Tactics
StilachiRAT operates within a DLL module (WWStartupCtrl64.dll) and has yet to be attributed to any specific cybercriminal group. Microsoft has not determined its exact delivery method but warns that trojans like this can infiltrate systems through multiple attack vectors.
Once inside a system, StilachiRAT gathers extensive details, including OS information, BIOS serial numbers, active RDP sessions, GUI applications, and webcam presence. It accomplishes this through Component Object Model (COM) Web-based Enterprise Management (WBEM) interfaces and WMI Query Language (WQL).
The malware specifically targets cryptocurrency wallets stored in Google Chrome, including MetaMask, Trust Wallet, Coinbase Wallet, and several others. Additionally, it extracts Chrome-stored credentials, monitors active RDP sessions, and periodically captures clipboard data, which may contain passwords or financial information.
Command and Control: A Powerful Espionage Tool
StilachiRAT maintains two-way communication with its command-and-control (C2) server, allowing it to execute at least 10 different commands, including:
- Displaying fake HTML pop-ups to deceive users
- Clearing event logs to hinder forensic investigations
- Shutting down systems via undocumented Windows API
- Establishing outbound and inbound network connections
- Killing active network connections
- Launching applications on command
- Enumerating open windows to locate specific targets
- Stealing Chrome passwords
To further evade detection, the malware continuously monitors for analysis tools and sandbox environments, ensuring it does not fully activate in security research setups.
Alongside Microsoft's findings, Palo Alto Networks Unit 42 has reported three distinct malware samples observed in the past year:
- A passive IIS backdoor that executes hidden commands through specially crafted HTTP requests.
- A bootkit using an unsecured kernel driver (ampa.sys) to install a GRUB 2 bootloader, potentially as a proof-of-concept (PoC) experiment.
- A Windows implant of ProjectGeass, a cross-platform post-exploitation framework built in C++.
One particularly bizarre discovery is that the GRUB 2 bootloader variant plays the song "Dixie" through a compromised system’s PC speaker after rebooting, leading researchers to speculate it may be an offensive cybersecurity prank rather than a full-fledged attack.
With StilachiRAT and other emerging threats, Microsoft and cybersecurity experts continue to urge organizations to strengthen their defenses, particularly against stealthy malware designed for long-term persistence and data theft.
