CTI Roundup: StilachiRAT, Reddit Infostealers, and New Password Reuse Data

This week, CTI investigates a new remote access trojan (RAT) malware called StilachiRAT. Next up, CTI looks at how infostealers are being distributed via Reddit posts. Finally, CTI wraps up with a look at Cloudflare data, revealing that 41% of successful logins use compromised passwords.

New StilachiRAT malware enables crypto theft and reconnaissance

Microsoft discovered a new RAT malware called StilachiRAT, which has various ways of stealing browser credentials, digital wallet data, clipboard information, and system information.

Although currently unattributed, StilachiRAT uses sophisticated techniques to evade detection, establish persistence, and exfiltrate data.

System reconnaissance

StilachiRAT conducts basic reconnaissance to collect information about a target system. It gathers various details, including BIOS serial numbers, camera presence, system information, and more, primarily using the WMI Query Language.

Targeting digital wallets

StilachiRAT targets an extensive list of cryptocurrency wallet extensions within the Chrome browser. To do so, it will access settings in a specific registry key and look to see if any specified extensions are installed. The full list of targeted wallet extensions can be found in Microsoft’s report.

Credential theft

Like many RATs, StilachiRAT is capable of credential theft. Microsoft observed the malware extracting Chrome’s “encryption_key” from the local state in a user directory.

[Read also: What is Active Directory security? Risks and best practices]

This key is encrypted during installation and must be decrypted using Windows APIs. This allows the actor to access stored credentials within the password vault for extraction. The malware will also collect information, including software installation records and active applications.

Persistence

Microsoft reports that StilachiRAT can operate as a Windows service or independently as a standalone component. A watchdog thread will oversee the files utilized by the malware to ensure they are not deleted, recreating them if they are missing at any time.

Remote Desktop Protocol (RDP) monitoring

StilachiRAT will also monitor RDP sessions to impersonate users, a technique that poses significant risks for servers hosting administrative sessions.

The malware will acquire the current session, initiate foreground windows, and enumerate all RDP sessions. For each identified session, it will replicate its privileges or security token, enabling it to launch applications.

[Read also: How Russia’s Earth Koshchei recently launched a large-scale RDP attack]

Clipboard monitoring

The malware also comes with a function that enables it to monitor clipboard data. It periodically reads the clipboard, extracting text of interest for exfiltration. To identify relevant text, it uses regular search expressions for things like passwords, keys, PII, etc.

Anti-forensics

Like most malware, StilachiRAT tries to cover its tracks and complicate analysis. It clears event logs, checks certain system conditions for elements like sandbox timers, and obfuscates its API calls.

Commands

Two different addresses are configured for the command-and-control (C2) server: one address is obfuscated, while the other is converted to binary format. The malware uses TCP ports 53, 443, or 16000 to establish its communications channel. It can then execute various commands to perform a system reboot, clear logs, run applications, manipulate windows, and more.

Analyst comments from Tanium’s Cyber Threat Intelligence team

At this time, there is little information available as to how StilachiRAT is moving onto devices. That said, RAT malware can be delivered in many ways, and basic monitoring and detection are critical to prevent these common initial access vectors. While the malware is not yet being distributed at scale, its capabilities make it worth monitoring.

Microsoft has also shared some recommended mitigation actions, hunting queries, and Defender alerts that may be helpful in identifying activity associated with this threat.

AMOS and Lumma stealers spread via Reddit posts

According to Malwarebytes, the macOS infostealer AMOS and Windows stealer Lumma are currently being distributed via Reddit posts. The lures in this campaign are often cracked software.

What do the Reddit posts include?

The actors behind this campaign are specifically looking for subreddits frequented by cryptocurrency traders and creating posts about free access to a popular trading tool called TradingView.

The post offers lifetime access to a premium version of the platform. What makes this thread more interesting is a comment left on it by the original poster offering support if needed and stating that “a real virus on a Mac would be wild.”

Downloads

Malwarebytes investigated both links and found that the malware is hosted on a website owned by a Dubai cleaning company. The website was determined to be PHP version 7.3.33, which Malwarebytes notes reached end of life back in 2021 and makes it susceptible to compromise.

[Read also: Important timelines and how to prepare for the upcoming Windows 10 end of life]

Double-zipped malwar

Both AMOS and Lumma were double zipped, and the second zip requires a password. This should raise a red flag to some victims, as legitimate software downloads are often not double zipped.

Malwarebytes also looked closer at the AMOS macOS stealer and found that the latest version includes checks for the presence of virtual machines and exits if detected.

The Windows malware is loaded by a bat file that runs a malicious AutoIt script. The C2 server for this malware is a domain that was registered just recently.

Analyst comments from Tanium’s Cyber Threat Intelligence team

The actor behind this campaign is taking social engineering one step further than many cracked software campaigns by including a comment that tries to calm any suspicions the victim may have.

Not only does the comment try to explain away why the device may throw warnings when downloading the software, but it also offers direct support if you have trouble running it. This comment may be just enough to trick more victims compared to campaigns without the offer of “tips.”

Nearly 41% of user logins used compromised passwords

According to Cloudflare’s latest telemetry, 41% of successful logins use compromised passwords.

This is largely the result of password reuse, with many users using the same password for multiple accounts, “creating a ripple effect of risk when their credentials are leaked.”

[Read also: The new thinking on password security might surprise you]

Analysis scope

Cloudflare analyzed login traffic from websites protected with Cloudflare during September–November 2024.

For sites protected with Cloudflare, entered passwords are hashed and compared to a database of known leaked/compromised credentials. When Cloudflare says leaked credentials, it refers to “usernames and passwords exposed in known data breaches or credential dumps.”

41% of logins at risk

Cloudflare’s first challenge was to differentiate between legitimate logins and logins coming from malicious actors.

To do this, it had to understand human behavior, focusing on successful login attempts. From this data, it was found that roughly 41% of successful human authentication attempts were using leaked credentials. Cloudflare then expanded its analysis to human and bot-driven traffic, upping this from 41% to 52% containing leaked passwords.

Using leaked passwords

Cloudflare determined that 95% of login attempts during credential-stuffing attacks involving leaked passwords originate from bots.

Bots will specifically exploit stolen credentials and can target sites on a large scale. Often, after successfully breaching a single account, a bot will use those credentials against multiple other services, again highlighting the risk of password reuse.

[Read also: The new biometrics dilemma for logins: Will they make us safe or sorry?]

Brute force attacks against WordPress

Cloudflare specifically investigated brute force attacks targeting WordPress sites, which are frequent targets of such attacks. It was discovered that 76% of login attempts using leaked passwords succeeded for WordPress sites.

Analyst comments from Tanium’s Cyber Threat Intelligence team

Although Cloudflare’s analysis is limited to sites using its services (about 20% of all sites), these results will likely reflect trends across the broader internet.

This indicates one important fact: the risk of leaked credentials is significant, and password reuse exacerbates this risk. Frequently changing passwords, particularly after a breach, is beneficial, but multifactor authentication (MFA) and leaked credential detection, as Cloudflare recommends, are essential for improving real-time monitoring.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.