Microsoft has identified a new remote access trojan (RAT) known as StilachiRAT, which utilizes sophisticated techniques to evade detection and persist within targeted environments, with the ultimate goal of stealing sensitive information.

According to the Microsoft Incident Response team, this malware is capable of stealing various data from the target system, including browser-stored credentials, digital wallet information, clipboard content, and system details, as outlined in their analysis.

Microsoft discovered StilachiRAT in November 2024, with its RAT features embedded in a DLL module named “WWStartupCtrl64.dll.” The origins of this malware, including the threat actor or country responsible, remain unknown at this time.

The exact method of delivery for this malware is currently unclear, but Microsoft emphasizes that such trojans can be installed through various initial access routes, making it essential for organizations to implement robust security measures to prevent such infections.

StilachiRAT is designed to collect extensive system information, including details about the operating system, hardware identifiers such as BIOS serial numbers, the presence of a camera, active Remote Desktop Protocol (RDP) sessions, and running graphical user interface (GUI) applications.

This information is gathered through the Component Object Model (COM) Web-based Enterprise Management (WBEM) interfaces, utilizing WMI Query Language (WQL).

The malware specifically targets a list of cryptocurrency wallet extensions installed in the Google Chrome web browser, including but not limited to Bitget Wallet, Trust Wallet, TronLink, MetaMask, and others.

Furthermore, StilachiRAT is engineered to extract credentials stored in the Chrome browser, periodically collect clipboard content such as passwords and cryptocurrency wallets, monitor RDP sessions by capturing foreground window information, and establish communication with a remote server to exfiltrate the harvested data.

The command-and-control (C2) server communications are two-way, enabling the malware to receive and execute instructions sent by it. The malware supports as many as 10 different commands, including:

• 07 – Display a dialog box with rendered HTML contents from a supplied URL
• 08 – Clear event log entries
• 09 – Enable system shutdown using an undocumented Windows API (“ntdll.dll!NtShutdownSystem”)
• 13 – Receive a network address from the C2 server and establish a new outbound connection
• 14 – Accept an incoming network connection on the supplied TCP port
• 15 – Terminate open network connections
• 16 – Launch a specified application
• 19 – Enumerate all open windows of the current desktop to search for a requested title bar text
• 26 – Put the system into either a suspended (sleep) state or hibernation
• 30 – Steal Google Chrome passwords

Microsoft highlights that StilachiRAT exhibits anti-forensic behavior by clearing event logs and checking certain system conditions to evade detection. This includes looping checks for analysis tools and sandbox timers that prevent its full activation in virtual environments commonly used for malware analysis.

This revelation comes as Palo Alto Networks Unit 42 detailed three unusual malware samples detected last year, including a passive Internet Information Services (IIS) backdoor, a bootkit that installs a GRUB 2 bootloader, and a Windows implant of a cross-platform post-exploitation framework.

The IIS backdoor can parse specific incoming HTTP requests and execute the commands within them, enabling it to run commands, get system metadata, create new processes, execute PowerShell code, and inject shellcode into a running or new process.

The bootkit, on the other hand, is a 64-bit DLL that installs a GRUB 2 bootloader disk image through a legitimate kernel driver, assessed to be a proof-of-concept created by unknown parties from the University of Mississippi.

According to Unit 42 researcher Dominik Reichel, “When rebooted, the GRUB 2 bootloader shows an image and periodically plays Dixie through the PC speaker. This behavior could indicate that the malware is an offensive prank.” The functionality of this malware is limited to specific disk configurations.