Stilachirat: A Silent Intruder In Your System, Stealing Data And Crypto Assets

Microsoft Incident Response identified a new Remote Access Trojan (RAT) named StilachiRAT, which demonstrates advanced stealth techniques, persistence mechanisms, and data exfiltration capabilities. This malware is designed to evade detection, maintain long-term access to infected systems, and steal sensitive information, particularly focusing on cryptocurrency wallets and credentials.

Severity Level: High

KEY CAPABILITIES OF STILACHIRAT

1. System Reconnaissance:

• Collects detailed system information, including OS type, hardware identifiers, & active applications.
• Monitors RDP sessions, enabling potential lateral movement within networks.

2. Credential Theft:

• Extracts and decrypts saved login credentials from Google Chrome.
• Retrieves encryption keys and login data to gain access to stored passwords.

3. Cryptocurrency Wallet Targeting:

• Scans for 20 different cryptocurrency wallet extensions in Google Chrome.
• Targets wallets such as MetaMask, Trust Wallet, Coinbase Wallet, & TronLink to steal digital assets

4. Command-and-Control (C2) Communication:

• Establishes a connection to remote servers via TCP ports 53, 443, or 16000.
• Communicates with the C2 domain app[.]95560[.]cc and IP 194.195.89[.]47.
• Delays the initial connection by two hours to evade detection.

5. Persistence and Evasion Techniques:

• Achieves persistence by using the Windows Service Control Manager (SCM) & watchdog threads.
• Actively monitors and reinstalls itself if removed from the system.
• Implements anti-forensics techniques, including event log clearing and sandbox evasion.

6. Clipboard and Data Collection:

• Continuously monitors clipboard activity to extract sensitive information like passwords and cryptocurrency keys.
• Scans user directories (%USERPROFILE%\Desktop, %USERPROFILE%\Recent) for valuable files.

7. Remote Execution and System Manipulation:

• Receives and executes commands from the C2 server, including system reboot, registry modification, and launching applications.
• Can impersonate users in RDP sessions, allowing unauthorized access and potential privilege escalation.

Recommendations:

1. In some cases, RATs can masquerade as legitimate software or software updates. Always download software from the official website of the software developer or from reputable sources.
2. Encourage users to use Microsoft Edge & other web browsers that support SmartScreen, which identifies & blocks phishing sites, scam sites, & sites that host malware.
3. Turn on Safe Links and Safe Attachments for Office 365.
4. The malware can be run both as a Windows Service or a standalone component. To identify persistence and suspicious services, monitor for the following event IDs:
5. Event ID 7045 – a new service was installed on the system. Monitor for suspicious services.
6. Event ID 7040 – start type of a service is changed (boot, on-request). Boot may be a vector for the RAT to persist during a system reboot. On request indicates that the process must request the SCM to start the service.
7. Correlated with Event ID 4697 – a service was installed on the system (Security log)
8. To identify potential event log clearing, monitor for the following event IDs: Event ID 1102 (Security log) and Event ID 104 (System log).
9. Disable password auto-saving in web browsers to prevent credential theft.
10. Use application whitelisting (e.g., Microsoft AppLocker) to prevent unauthorized executables.
11. Block the IOCs at their respective controls

SOURCES:

• https://www.virustotal.com/gui/collection/6f5b7bd02b1ff77095227b8def09cfa4a8175280fcc2d69c62a211237ecc5e38/iocs
• https://www.microsoft.com/en-us/security/blog/2025/03/17/stilachirat-analysis-from-system-reconnaissance-to-cryptocurrency-theft/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn.