1. Forum
  2. FidoNet
  3. CONSPRCY

  • MS warns of new malware

    From Mike Powell@1:2320/105 to All on Wed Mar 19 09:09:00 2025
    Microsoft warns of a devious new RAT malware which can avoid detection with apparent ease

    Date:
    Tue, 18 Mar 2025 14:38:00 +0000

    Description:
    StilachiRAT malware hides easily, allows for remote code execution, and
    steals data.

    FULL STORY

    A new Remote Access Trojan (RAT) has been spotted using sophisticated techniques to hide and persist while it steals peoples sensitive information, experts have warned.

    Researchers at Microsoft said the malware is still too young to be attributed to any specific actor, or threat campaign.

    "In November 2024, Microsoft Incident Response researchers uncovered a novel remote access trojan (RAT) we named StilachiRAT that demonstrates
    sophisticated techniques to evade detection, persist in the target
    environment, and exfiltrate sensitive data," Microsoft said.

    Crypto in the crosshairs

    The company did not explain how the RAT is distributed, but once its
    installed on a device, it maintains persistence through the Windows service control manager (SCM). It uses watchdog threats to track the malwares
    binaries and recreate them if theyre removed, essentially reinstalling the malware if necessary.

    As for evasion and anti-forensics, it can clear event logs, and look for
    signs that its running in a sandbox environment. If you even trick it to run
    in a sandbox, its Windows API calls are still encoded as checksums that are resolved dynamically at runtime, which makes analysis that much harder.

    For features, StilachiRAT doesnt stray much from your usual Remote Access Trojan. It targets credentials stored in the browser, digital wallet information, data stored in the clipboard, and system information (hardware identifiers, camera presence, active Remote Desktop Protocol (RDP) sessions, and running GUI-based applications to profile targeted systems).

    StilachiRAT is particularly interested in cryptocurrency wallets. It can scan the configuration info of 20 wallet extensions such as Phantom, MetaMask,
    Trust Wallet, and many others.

    But the tool can do much more than just steal data - it allows for remote command execution, granting the attackers the ability to restart the device, run applications, and more. There are even commands built to "suspend the system, modify Windows registry values, and enumerate open windows."

    Via BleepingComputer

    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/microsoft-warns-of-a-devious-new-rat-ma lware-which-can-avoid-detection-with-apparent-ease

    $$
    --- SBBSecho 3.20-Linux
    * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)