Full Report
Microsoft is calling attention to a novel remote access trojan (RAT) named StilachiRAT that it said employs advanced techniques to sidestep detection and persist within target environments with an ultimate aim to steal sensitive data. The malware contains capabilities to "steal information from the target system, such as credentials stored in the browser, digital wallet information, data stored
Analysis Summary
# Tool/Technique: StilachiRAT
## Overview
StilachiRAT is a novel Remote Access Trojan (RAT) identified by Microsoft that employs advanced techniques to evade detection and maintain persistence. Its primary goal is to steal sensitive information, including credentials, cryptocurrency wallet data, and clipboard contents, from compromised systems.
## Technical Details
- Type: Malware family (Remote Access Trojan - RAT)
- Platform: Windows (Implied by use of DLLs and WMI)
- Capabilities: Information theft (credentials, wallet data, clipboard), system reconnaissance, remote command execution, anti-forensics.
- First Seen: November 2024 (Discovered by Microsoft)
## MITRE ATT&CK Mapping
*Note: Specific mappings are inferred based on described functionality, as the article does not provide a direct mapping table.*
- **TA0001 - Initial Access**
- (Delivery vectors are unknown, but implied)
- **TA0005 - Defense Evasion**
- T1070 - Indicator Removal
- T1070.001 - Indicator Removal: Clear OS Log
- **TA0009 - Collection**
- T1005 - Data from Local System
- T1119 - Automated Collection
- T1552 - Credentials from Web Browsers
- T1552.001 - Credentials from Password Stores (Browsers)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (Implied C2 communication)
## Functionality
### Core Capabilities
- **System Information Gathering:** Collects extensive details including OS version, hardware identifiers, BIOS serial numbers, camera presence, running RDP sessions, and active GUI applications using WMI Query Language (WQL) via COM WBEM interfaces.
- **Credential Theft:** Specifically targets and steals credentials stored within the Google Chrome web browser.
- **Cryptocurrency Wallet Theft:** Targets information related to numerous installed cryptocurrency wallet extensions in Chrome (e.g., MetaMask, Trust Wallet, Phantom, Coinbase Wallet).
- **Clipboard Monitoring:** Periodically harvests data stored in the system clipboard, including passwords and cryptocurrency wallet seeds/keys.
- **Remote Control:** Establishes two-way Command and Control (C2) communication, allowing it to receive and execute instructions from the remote server.
### Advanced Features
- **Anti-Forensics:** Implements behavior to clear system event logs to hinder forensic analysis.
- **System Control:** Capable of suspending/hibernating the system (`ntdll.dll!NtShutdownSystem`), launching processes, and managing network connections.
- **Versatile C2 Commands:** Supports at least 10 distinct commands for execution, including displaying HTML content via URL, clearing logs, managing system power state, establishing new network connections (inbound/outbound), and enumerating open windows to search for specific titles.
## Indicators of Compromise
- File Hashes: [Not provided in the article]
- File Names: `WWStartupCtrl64.dll` (RAT feature module)
- Registry Keys: [Not provided in the article]
- Network Indicators: [C2 servers/domains are not explicitly listed, but communication relies on establishing outbound connections to a remote server.]
- Behavioral Indicators: Use of WQL queries via COM interfaces for system reconnaissance; clearing of Windows Event Logs; attempts to steal data from specified Chrome browser wallet extensions.
## Associated Threat Actors
- [Not attributed to any specific threat actor or country.]
## Detection Methods
- Signature-based detection: Likely detectable by signatures designed against files matching the DLL characteristics or known C2 patterns.
- Behavioral detection: Monitoring for unusual WMI/WQL queries for sensitive system information, monitoring for processes accessing the Chrome password database, and detection of event log clearing actions.
- YARA rules: [Not provided in the article]
## Mitigation Strategies
- Implement robust endpoint detection and response (EDR) capable of monitoring WMI activity and process injection/persistence mechanisms.
- Regularly audit and restrict permissions for processes accessing sensitive user data stores (e.g., Chrome browser directories).
- Use application allow-listing to prevent the execution of unauthorized DLLs or executables.
- Employ security measures that actively monitor and prevent the clearing of security event logs.
- Exercise caution with emails or downloads, as initial access vectors for such RATs are often phishing or malware droppers.
## Related Tools/Techniques
- General RATs capable of credential harvesting and remote command execution.
- Malware families that specifically target cryptocurrency browser extensions.