Analysis Summary

StilachiRAT is a newly identified remote access trojan (RAT) discovered by Researchers, designed to evade detection and persist in target environments. It is embedded in a DLL module named WWStartupCtrl64.dll and is capable of stealing sensitive data, including credentials stored in browsers, cryptocurrency wallet information, clipboard content, and system details. Using Windows Management Instrumentation (WMI) Query Language (WQL), it collects extensive system information such as OS details, hardware identifiers, active RDP sessions, and running GUI applications. While the exact delivery method remains unknown, Microsoft warns that RATs like this can be installed through various attack vectors, emphasizing the need for strong cybersecurity measures.

According to the Researcher, a key feature of StilachiRAT is its focus on stealing cryptocurrency wallet credentials from popular Chrome browser extensions, including MetaMask, Trust Wallet, Bitget Wallet, and Coinbase Wallet, among others. It also monitors RDP sessions, exfiltrates stolen information to a command-and-control (C2) server, and supports two-way communication for executing commands remotely. These commands range from clearing event logs and terminating network connections to launching applications, stealing passwords, and enabling system shutdown via an undocumented Windows API. The malware also employs anti-forensic techniques such as monitoring for analysis tools and sandbox environments to avoid detection.

The discovery of StilachiRAT coincides with research from Palo Alto Networks Unit 42, which identified three distinct malware samples. These include an IIS backdoor that executes commands via manipulated HTTP requests, a bootkit leveraging an insecure kernel driver to install a customized GRUB 2 bootloader, and a Windows implant of a cross-platform post-exploitation framework called ProjectGeass. The bootkit is particularly unusual, as it plays a tune through the PC speaker upon reboot, suggesting it may be a proof-of-concept (PoC) attack or prank.

Overall, StilachiRAT presents a significant threat due to its advanced evasion techniques, information-stealing capabilities, and ability to execute remote commands, making it a powerful tool for espionage and financial theft. Its focus on cryptocurrency wallets, along with anti-forensic behavior and RDP session monitoring, makes it a highly sophisticated malware variant. The emergence of such threats highlights the growing complexity of cyberattacks, reinforcing the need for organizations to adopt robust endpoint security, network monitoring, and proactive threat intelligence to mitigate risks.

Impact

• Steal Sensitive Data
• Gain Access
• Financial Loss
• Crypto Theft

Indicators of Compromise

SHA1

• d7bd95a3d7756f3366bdd068cb1ad345e0eae31b

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Ensure all operating systems, applications, and security software are up to date to mitigate vulnerabilities.
• Deploy Endpoint Detection and Response (EDR) solutions to detect and block malicious activity.
• Use behavior-based detection to identify suspicious processes like unauthorized DLL injections.
• Disable password storage in browsers to prevent credential theft.
• Regularly review and remove unnecessary browser extensions, especially cryptocurrency wallets.
• Monitor network traffic for unusual outbound connections to potential C2 servers.
• Restrict RDP access and use multi-factor authentication (MFA) to prevent unauthorized remote sessions.
• Restrict user privileges to limit malware execution capabilities.
• Use Application Whitelisting to prevent unauthorized programs from running.
• Regularly review Windows Event Logs, particularly for unexpected log clearance events.
• Monitor clipboard activity and detect unauthorized attempts to access stored credentials.
• Use Indicators of Compromise (IOCs) from threat intelligence sources to hunt for StilachiRAT artifacts.
• Isolate and analyze suspected infected systems to prevent further compromise.
• Train users to recognize phishing emails that may deliver RATs via malicious attachments or links.
• Encourage the use of password managers and MFA for enhanced security.