Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease

• Microsoft is warning about a brand new RAT called Stilachi
• It is good at hiding and persisting, while stealing sensitive data
• StilachiRAT allows threat actors to run commands on endpoints, too

A new Remote Access Trojan (RAT) has been spotted using “sophisticated techniques” to hide and persist while it steals people’s sensitive information, experts have warned.

Researchers at Microsoft said the malware is still too “young” to be attributed to any specific actor, or threat campaign.

"In November 2024, Microsoft Incident Response researchers uncovered a novel remote access trojan (RAT) we named StilachiRAT that demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data," Microsoft said.

Crypto in the crosshairs

The company did not explain how the RAT is distributed, but once it’s installed on a device, it maintains persistence through the Windows service control manager (SCM). It uses watchdog threats to track the malware’s binaries and recreate them if they’re removed, essentially reinstalling the malware if necessary.

As for evasion and anti-forensics, it can clear event logs, and look for signs that it’s running in a sandbox environment. If you even trick it to run in a sandbox, its Windows API calls are still encoded as “checksums that are resolved dynamically at runtime,” which makes analysis that much harder.

For features, StilachiRAT doesn’t stray much from your usual Remote Access Trojan. It targets credentials stored in the browser, digital wallet information, data stored in the clipboard, and system information (hardware identifiers, camera presence, active Remote Desktop Protocol (RDP) sessions, and running GUI-based applications to profile targeted systems).

StilachiRAT is particularly interested in cryptocurrency wallets. It can scan the configuration info of 20 wallet extensions such as Phantom, MetaMask, Trust Wallet, and many others.

But the tool can do much more than “just” steal data - it allows for remote command execution, granting the attackers the ability to restart the device, run applications, and more. There are even commands built to "suspend the system, modify Windows registry values, and enumerate open windows."

Via BleepingComputer

You might also like

• Cybercriminals are using virtual hard drives to drop RATs in phishing attacks
• We've rounded up the best password managers
• Take a look at our guide to the best authenticator app