Full Report
Microsoft has discovered a new remote access trojan (RAT) that employs "sophisticated techniques" to avoid detection, ensure persistence, and extract sensitive information data. [...]
Analysis Summary
# Tool/Technique: StilachiRAT
## Overview
StilachiRAT is a new Remote Access Trojan (RAT) malware identified by Microsoft, primarily used for cryptocurrency theft and reconnaissance activities. It exhibits advanced persistence mechanisms and focuses on compromising systems accessible via Remote Desktop Protocol (RDP).
## Technical Details
- Type: Malware family (RAT)
- Platform: Windows
- Capabilities: Establishing persistence via SCM monitoring, RDP session hijacking, credential theft, command execution, anti-analysis/evasion.
- First Seen: Not explicitly mentioned, but described as "new."
## MITRE ATT&CK Mapping
* **TA0003 - Persistence**
* T1543 - Create or Modify System Process
* T1543.003 - Windows Service
* **TA0005 - Defense Evasion**
* T1070 - Indicator Removal
* T1070.001 - File Deletion
* T1497 - Virtualization/Sandbox Evasion
* **TA0011 - Command and Control**
* T1090 - Proxy
* T1090.003 - Domain Fronting (If proxying involves traffic obfuscation)
* **TA0002 - Execution**
* T1059 - Command and Scripting Interpreter
* **TA0004 - Privilege Escalation**
* T1134 - Access Token Manipulation
* T1134.001 - Make Token or Privilege of Another Process
## Functionality
### Core Capabilities
- **Persistence:** Utilizes watchdog threads to monitor its binaries via the Windows Service Control Manager (SCM), automatically recreating the malware if it is removed or stopped.
- **Command Execution:** Executes arbitrary commands received from the Command and Control (C2) server, including system suspension, registry modification, and window manipulation.
- **Reconnaissance:** Enumerates active RDP sessions, captures foreground window information, and steals credentials.
- **Log Clearing:** Includes functionality to clear system event logs as an anti-forensics measure.
### Advanced Features
- **RDP Session Hijacking/Lateral Movement:** Clones security tokens from active RDP sessions, allowing the malware to impersonate logged-in users (often administrators) and move laterally within the network, especially on infrastructure hosting critical RDP servers.
- **Anti-Analysis/Evasion:** Checks if it is running within a sandbox environment. API calls are heavily obfuscated, with Windows API calls resolved dynamically at runtime using encoded "checksums" to hinder static and dynamic analysis.
- **Proxying:** Supports SOCKS-like proxying capabilities through C2 instructions, potentially facilitating communication through the compromised host.
## Indicators of Compromise
* *Note: Specific hashes, file names, and network indicators were not provided in the source text extract.*
- File Hashes: [Not provided]
- File Names: [Not provided]
- Registry Keys: [Not provided - Implies registry modification capability]
- Network Indicators: [Not provided - C2 communication implied]
- Behavioral Indicators: Monitoring SCM for self-preservation, cloning security tokens of RDP user sessions, dynamic resolution of API calls, clearing event logs.
## Associated Threat Actors
- Not explicitly named, but attributed to threat actors targeting crypto assets and conducting generalized reconnaissance.
## Detection Methods
- Signature-based detection: **[Not provided]**
- Behavioral detection: Monitoring for processes that monitor the SCM for persistence maintenance, unusual security token duplication across different RDP sessions, and dynamic API call resolution patterns.
- YARA rules: **[Not provided]**
## Mitigation Strategies
- Downloading software exclusively from official, trusted websites.
- Employing security software capable of blocking known or malicious C2 domains and preventing the execution of suspicious email attachments.
- Monitoring and restricting privileged RDP sessions and ensuring robust monitoring on machines hosting administrative sessions.
## Related Tools/Techniques
- Other RATs focusing on persistence and credential theft, likely utilizing similar RDP/token manipulation techniques for lateral movement.