chushpan
Professional
- Messages
- 661
- Reaction score
- 449
- Points
- 63
A new remote access Trojan (RAT) for Windows, dubbed StilachiRAT, uses sophisticated techniques to avoid detection and can perform tasks ranging from reconnaissance to cryptocurrency theft.
StilachiRAT, which has not yet been widely distributed and is not attributed to any known cybercriminal group, also uses watchdog threads to ensure self-repair if removed, according to a study by Microsoft Incident Response.🗞 When analyzing the Trojan, researchers found that it collects extensive system information, including operating system details, device identifiers, BIOS serial numbers, and the presence of cameras.
It also attacks 20 cryptocurrency wallet extensions for the Google Chrome browser, including Metamask, Coinbase wallet, Phantom, Kepler, and Trust.
Microsoft says the malware communicates with two command and control (C2) servers and establishes communication channels via randomly selected TCP ports 53, 443, or 16000.
StilachiRAT checks whether tcpview.exe is running on the system and, if so, stops it from running to avoid detection.
According to Microsoft, the Trojan also monitors Remote Desktop Protocol sessions, intercepting information about foreground windows and duplicating security tokens to impersonate the user.
