New Remote Access Trojan Identified by Microsoft Researchers
Microsoft researchers have recently uncovered a new remote access trojan (RAT) called StilachiRAT. This malicious software is specifically designed to steal cryptocurrency wallet data, credentials, and system information from compromised devices. The discovery was made public by Microsoft on March 17.
Stealthy and Dangerous
StilachiRAT was first detected in November 2024 and is known for its stealth techniques and anti-forensic measures, making it difficult to detect. While the threat actor behind StilachiRAT remains unknown, security experts have expressed concerns about the potential cybersecurity risks it poses, especially for individuals dealing with cryptocurrencies.
Capabilities of StilachiRAT
- Scans and extracts data from 20 different cryptocurrency wallet extensions in Google Chrome
- Decrypts saved Chrome passwords and monitors clipboard activity for sensitive financial data
- Establishes remote command-and-control connections via TCP ports 53, 443, and 16000
- Monitors active Remote Desktop Protocol sessions and enables lateral movement across networks
- Utilizes persistence mechanisms to reinstate itself if removed
Protection and Response
To mitigate the risks associated with StilachiRAT, Microsoft has provided the following recommendations:
- Download software only from official sources to avoid malware infiltration
- Enable network protection in Microsoft Defender for Endpoint
- Activate Safe Links and Safe Attachments in Microsoft 365 to prevent phishing attacks
Microsoft Defender XDR has been updated to detect StilachiRAT activity. Security professionals are advised to monitor network traffic, inspect system modifications, and track unauthorized service installations to identify potential infections.
Continuous Monitoring and Updates
While widespread distribution of StilachiRAT has not been observed, Microsoft emphasizes the importance of vigilance as threat actors constantly evolve their malware to bypass security measures. The company is committed to monitoring the situation closely and will provide updates through its Threat Intelligence Blog.
