StilachiRAT: System Reconnaissance and Cryptocurrency Theft
A team of security researchers from Microsoft Threat Intelligence recently announced the existence of a new RAT (Remote Access Trojan) named StilachiRAT. Although there are no statistics on the organization or entity responsible for maintaining this trojan, Microsoft has informed global users due to the sophisticated techniques within this trojan, making it easy to infiltrate, hide, and steal sensitive information from victims' systems.
Technical Analysis
In Microsoft's report, security experts conducted research on the WStartupCtrl64.dll module of StilachiRAT. Below are the conclusions and statistics about the main capabilities of the trojan:
1. System Reconnaissance
StilachiRAT can gather detailed and comprehensive information about the target system. Information about the operating system, hardware identifiers, BIOS serial numbers, checks on active RDP (Remote Desktop Protocol) sessions, and information about running GUI applications on the system are all collected by this trojan. Through the COM (Component Object Model) interface, WBEM (Web-based Enterprise Management), and WQL (WMI Query Language), this collection process can create a unique identifier on the infected device and store it in the registry from the system's serial number and the attacker's public RSA key.
Figure 1: Example of a unique ID stored in the registry
2. Wallet Scanning
After infecting the target system, StilachiRAT scans for information related to cryptocurrency wallets. This trojan targets around 20 extensions of several popular cryptocurrency wallets like Coinbase Wallet, Phantom, Trust Wallet, Metamask, OKX Wallet, Bitget Wallet, and more. By accessing the registry key at the path \SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings, this trojan can easily collect information about cryptocurrency wallets if any extensions are installed on the Google Chrome browser.
Below is a list of the Google Chrome browser extensions for cryptocurrency wallets targeted by this trojan:
Dưới đây là danh sách các extension trên trình duyệt Google Chrome những ví điện tử bị trojan này nhắm tới:
| Cryptocurrency wallet extension name | Chrome extension identifier |
| Bitget Wallet (Formerly BitKeep) | jiidiaalihmmhddjgbnbgdfflelocpak |
| Trust Wallet | egjidjbpglichdcondbcbdnbeeppgdph |
| TronLink | ibnejdfjmmkpcnlpebklmnkoeoihofec |
| MetaMask (ethereum) | nkbihfbeogaeaoehlefnkodbefgpgknn |
| TokenPocket | mfgccjchihfkkindfppnaooecgfneiii |
| BNB Chain Wallet | fhbohimaelbohpjbbldcngcnapndodjp |
| OKX Wallet | mcohilncbfahbmgdjkbpemcciiolgcge |
| Sui Wallet | opcgpfmipidbgpenhmajoajpbobppdil |
| Braavos – Starknet Wallet | jnlgamecbpmbajjfhmmmlhejkemejdma |
| Coinbase Wallet | hnfanknocfeofbddgcijnmhnfnkdnaad |
| Leap Cosmos Wallet | fcfcfllfndlomdhbehjjcoimbgofdncg |
| Manta Wallet | enabgbdfcbaehmbigakijjabdpdnimlg |
| Keplr | dmkamcknogkgcdfhhbddcghachkejeap |
| Phantom | bfnaelmomeimhlpmgjnjophhpkkoljpa |
| Compass Wallet for Sei | anokgmphncpekkhclmingpimjmcooifb |
| Math Wallet | afbcbjpbpfadlkmhmclhkeeodmamcflc |
| Fractal Wallet | agechnindjilpccclelhlbjphbgnobpf |
| Station Wallet | aiifbnbfobpmeekipheeijimdpnlpgpp |
| ConfluxPortal | bjiiiblnpkonoiegdlifcciokocjbhkd |
| Plug | cfbfdhimifdmdehjmkdobpcjfefblkjm |
3. Stealing Login Information
StilachiRAT extracts encryption_key values stored locally in Google Chrome user files. Although these keys are encrypted by default when Chrome is first installed, the trojan can still decrypt them using user context and Windows APIs. This allows StilachiRAT to access saved login information in the password vault and extract these values from:
The Chrome configuration data storage folder, including the encryption key:
%LOCALAPPDATA%\Google\Chrome\User Data\Local StateThe user login information storage folder:
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data
Since the Login Data folder stores information using an SQLite database, the trojan can retrieve login information through the following query:
Figure 2: The query used by the trojan to steal login information from the Login Data folder
4. Connecting to the C2 Server
There are 2 addresses configured for StilachiRAT to connect to after infecting the target system. These addresses are either obfuscated or converted to binary code instead of being stored as a regular string, making it more difficult for security scanning methods to detect connections to these malicious servers.
TCP ports 53, 443, and 16000 are randomly set for StilachiRAT to connect to the two C2 servers app.95560[.]cc and 194.195.89[.]47. If network monitoring software like tcpviewer is detected, the trojan will immediately terminate existing connections and pause connections to the C2 servers for about 2 hours to avoid detection.
Figure 3: StilachiRAT delays connections to the C2 server to avoid detection
5. Establishing Persistence on the System
StilachiRAT can be launched as a Windows service or as a standalone component. Both methods have protection mechanisms to establish the trojan's long-term presence on the infected system. A watchdog thread is used by the trojan to periodically monitor executable .exe files and dynamic link libraries .dll, and it will restore these malicious files from previous backups if they are deleted from the target system. Additionally, if launched as a Windows service, StilachiRAT can recreate the service by modifying settings in the system's registry and restart the service through the SCM (Service Control Manager) - a Windows service management tool.
Figure 4: Launching the trojan as a Windows service through SCM
6. Monitoring RDP
StilachiRAT records information about the foreground window during RDP sessions and copies user security tokens between sessions. These tokens allow the trojan to impersonate legitimate users and perform actions on their behalf. For administrator RDP sessions, the trojan can steal tokens and easily move laterally to other computers in the internal network without needing to perform initial intrusion steps.
Additionally, StilachiRAT also lists all active RDP sessions on the system. For identified sessions, the trojan accesses the Windows Explorer shell to steal privileges and use them to launch new applications and processes with the stolen execution rights on the infected system.
Figure 5: Launch process as another user
7. Collecting Data and Clipboard on the System
StilachiRAT collects various types of user data, including active processes and logs of software installed on the infected system. This trojan monitors active GUI windows, stores information displayed on the "Title Bar," and sends this information to the C2 server, allowing attackers to easily track and analyze user behavior.
Figure 6: Read the title of an application window
On the other hand, StilachiRAT also collects data stored in the system's clipboard. When users copy data such as personal information, passwords, cryptocurrency keys, etc., the trojan can read and extract this information and send it to the C2 server. Additionally, this trojan also accesses directories like %USERPROFILE%\Desktop and %USERPROFILE%\Recent to further collect sensitive user data.
Figure 7: Collecting data from the system's clipboard
8. Anti-Forensic Measures
StilachiRAT employs various sophisticated techniques to prevent tracking (anti-forensic) on the infected system, including continuously checking for analysis tools and sandbox timers, blocking malware analysis features from running in virtualized environments, and regularly deleting event logs to avoid forensic analysis.
Additionally, StilachiRAT hides Windows APIs by encrypting text strings using a custom algorithm. This significantly slows down forensic analysis because understanding the trojan's source code becomes more complex. API obfuscation techniques are also used to hinder manual analysis. Instead of directly calling APIs like RegOpenKey(), the trojan encrypts the names of APIs into checksum values, which are only dynamically decrypted when the API is called.
Additionally, to add a layer of protection, API checksum values are pre-calculated by StilachiRAT and stored in multiple lookup tables, each encrypted with an XOR value. When an API is called, the trojan selects a lookup table, performs decryption, and finds the corresponding API functions. Then, the trojan stores the function pointers with an additional layer of encryption (XOR) to prevent memory scanning and detection of API references.
Figure 8: Function that initiates API resolution by identifying the correct lookup table for the checksum
Recommendations & Mitigation
Based on the characteristics of StilachiRAT that have been studied, the FPT Threat Intelligence team recommends users implement several preventive and protective measures to minimize the risk of StilachiRAT infection in the future, as well as other dangerous malware currently appearing in cyberspace, as follows:
Install software from trusted sources: Always download software from the developer's official websites or reputable sources. Avoid downloading software from unknown websites as they may contain malware, like StilachiRAT, which exploits fake legitimate software or software updates.
Use a secure web browser: Use browsers with security features like SmartScreen that help identify and block malicious websites, phishing sites, and sites with malware. Ensure the browser is updated and securely configured to protect users from online threats.
Use security software: Install security software with real-time protection on the system, ensuring these programs are always active to prevent malware from entering the system.
Store personal information in a password wallet: To avoid leaking login information and reduce the risk of credential theft, users can use popular and secure password storage tools like 1Password, Bitwarden, etc., to protect personal information.
Use 24/7 security monitoring services: This is an effective solution that allows users to immediately respond to any hacker attacks, detect and block suspicious activities, and reduce the risk of information insecurity for the user's system.
IOCs
Information on IOCs was published by Microsoft Threat Intelligence as follows:
| Description | Type | Indicator |
Tệp WWStartupCtrl64.dll độc hại | Mã băm SHA-256 | 394743dd67eb018b02e069e915f64417bc1cd8b33e139b92240a8cf45ce10fcb |
| Máy chủ C2 | Địa chỉ IP | 194.195.89[.]47 |
| Máy chủ C2 | Domain | app.95560[.]cc |
