Microsoft draws attention to the new remote access of Trajan (Rat) named Motionless This states that they use advanced methods of detection of the parties and are stored in the target conditions for the ultimate purpose of stealing sensitive data.
Malicious software contains “steal information in the target system, such as the credentials stored in the browser, digital wallet, data stored in the clipboard, and system information”, the Microsoft response team team – Note In the analysis.
The technical giant stated that he had discovered Stilachirat in November 2024, and his features of the rats are present in the dll module called “WWStartupctrl64.dll”. Malicious software was not related to some specific actor and the country threat.
It is currently unclear how maliciously malware is delivered to the target, but Microsoft noted that such Trojans can be installed using various initial access routes, making it decisive for organizations to implement proper security measures.
Stilachirat is designed to collect extensive system information, including operating system details, hardware IDs such as BIOS serial numbers, camera, active desktop desktop protocols (RDP) and launch of graphic user interfaces (GUI).
These details are collected via Enterprise Management Interfaces (WBEM) based on the Component Object (COM) using WMI (WQL).
It is also designed to focus on the list of cryptocurrency wallets installed in the Google Chrome web browser. The list covers the wallet Bitget, Trust Wallet, Tronlink, Metamask, TokenPocket Connection.
In addition, Stilachirat writes the credentials stored in the Chrome browser periodically collects the content of the clipboard, such as passwords and cryptocurrency wallets, monitor the RDP session, fixing the front plan information and establishes contact with the remote server to disconnect the data.
Server Communications Teams and Control (C2) is two-sided, allowing malicious software to run the instructions sent to them. Features indicate a universal tool for both espionage and system manipulation. Supported by as many as 10 different commands –
- 07 – Display dialog with rendered contents HTML from the set URL
- 08 – Cleaned Event Magazine Records
- 09 – Enable Disable System using unregistered API Windows (“ntdll.dll! Ntshutdownsystem”)
- 13 – Get a network address from the C2 server and install a new output connection.
- 14 – Take an incoming network connection on TCP Port
- 15 – Stop open network connections
- 16 – Run the specified app
- 19 – List all the open windows of the current desktop to search the requested text title
- 26 – Enter the system either in the suspended (sleep) or bake
- 30 – steal Google Chrome passwords
“Stilachirat reflects anti-gray behavior, clearing events and checking certain system conditions to avoid detection,” said Microsoft. “This includes a cycle of analysis tools and sandboxes that prevent its complete activation in the virtual conditions commonly used to analyze malware.”
Disclosure occurs when the Palo Alto Networks 42 unit minute Three unusual malware samples that he discovered last year, counting passive online information services (IIS), developed in C ++/CLI, Bootkit, which uses unsecured core driver to install the Grub 2 and implant Windows with a cross-platform over the name.
Backdoor IIS is equipped to analyze some of the HTTP entry requests containing a predetermined title, and execute commands in them, providing it with the launch of the commands, get system metadata, create new processes, perform the Powershell code, and enter shellcode in running or a new process.
On the other hand, Bootkit is 64-bit DLL, which sets the image of the Bootloader Grub 2 images with a legitimately signed kernel driver called ampa.sys. This is evaluated as proof of the concept (POC) created by unknown parties from the University of Mississipis.
‘When a restart loader GRUB 2 shows the image and periodically plays Dix through the speaker of the PC. This behavior may indicate that malicious software is offensive pranks, “said the researcher 42 Dominic Reichel.” In particular, the system is fixed using this individual image of the GRUB 2 only works on certain disk configurations. “
