Microsoft has turned its attention to a new remote access Trojan (RAT) named Stilachirat, saying it will last within the target environment, using advanced techniques aimed at stealing advanced data.
Malware includes the ability to “steal information from the target system, including credentials stored in your browser, digital wallet information, data stored in your clipboard, and system information.”
Tech Giant discovered Stilachirat in November 2024, saying that the rat features exist in a DLL module named “wwstartupctrl64.dll”. Malware is not caused by any particular threat actor or country.
Currently, it is not clear how malware will be delivered to targets, but Microsoft said it is important for organizations to implement appropriate security measures, as such Trojans can be installed through various initial access routes.
Stilachirat is designed to collect a wide range of system information, including operating system (OS) details, BIOS serial number, camera presence, active Remote Desktop Protocol (RDP) sessions, and hardware identifiers such as graphical user interface (GUI) applications.
These details are collected through the Component Object Model (COM) web-based Enterprise Management (WBEM) interface using the WMI Query Language (WQL).
It is also designed to target a list of cryptocurrency wallet extensions installed within the Google Chrome web browser. The list includes Bitget Wallet, Trust Wallet, Tron Link, Meta Mask, Token Pocket, BNB Chain Wallet, OKX Wallet, SUI Wallet, and Bra Boss.
Additionally, Stilachirat extracts credentials stored in the Chrome browser, regularly collects clipboard content such as passwords and cryptocurrency wallets, and monitors RDP sessions by capturing foreground window information, establishing contact with remote servers and removing harvested data.
Command and Control (C2) server communication is bidirectional, allowing malware to launch the steps it has been sent from. This feature refers to a versatile tool for both espionage and system operation. Up to 10 different commands are supported –
07 – Displays a dialog box with HTML content rendered from the provided URL 08 – Clear Event Log Entry 09 – Enable system shutdown using the undocumented Windows API (“ntdll.dll!ntshutdownsystem”) 13 – Receives network addresses from the C2 server and establishes a new outbound connection. 14-Accept incoming network connections for TCP port 15 provided 15-End open network connections – Specified application 19-Enumerate all open windows on the current desktop and search for requested title bar text 26-Suspend system (sleep) or hibernation 30-
“Stilachirat shows anti-strong behavior by clearing the event log and checking specific system conditions to avoid detection,” Microsoft said. “This includes loop checking of analysis tools and sandbox timers that prevent full activation in virtual environments commonly used for malware analysis.”
The disclosure comes as Palo Alto Networks Unit 42 detailed three unusual malware samples that it detected last year, counting a passive Internet Information Services (IIS) backdoor developed in C++/CLI, a bootkit that uses an unsecured kernel driver to install a GRUB 2 bootloader, and a Windows implant of a cross-platform post-exploitation framework developed in C++ called ProjectGeass.
The IIS backdoor is equipped to parse certain incoming HTTP requests with predefined headers, execute commands within them, execute commands, retrieve system metadata, create new processes, run PowerShell code, and grant the ability to inject shellcode into running or new processes.
Bootkit, on the other hand, is a 64-bit DLL that installs a Grub 2 Bootloader disk image using a legitimately signed kernel driver named AMPA.SYS. It is rated as a proof of concept (POC) created by an unknown political party at the University of Mississippi.
“When you reboot, the Grub 2 bootloader displays the image and plays Dixie periodically through the PC speaker. This behavior can indicate that the malware is an aggressive prank.” “In particular, patching the system with this customized Grub 2 bootloader image of malware only works with certain disk configurations.”
Source link
