Microsoft Inc. has alerted crypto users of a newly identified malware, StilachiRAT, which it described as a remote access trojan (RAT) with advanced capabilities to evade detection and steal data.
According to the company, StilachiRAT targets cryptocurrency wallets and collects sensitive browser information, including data from Google Chrome and poses significant risks to cryptocurrency users by actively scanning for wallet extensions in Chrome, targeting at least 20 wallets such as MetaMask, Trust Wallet, Phantom, Coinbase, BNB Chain, and Bitget Wallet.
Microsoft disclosed that once it identifies wallet extensions, StilachiRAT extracts credentials and configuration details, enabling attackers to drain funds from victims’ wallets as well as monitors clipboard activity, searching for cryptocurrency keys or passwords that users may have copied, thereby making it a serious security threat for digital asset holders.
News reports on the malware indicate that it grants attackers the ability to execute remote commands, clear logs, and manipulate registry settings to maintain persistent access. It uses anti-forensic techniques, including identifying analysis tools and delaying execution, to bypass security defences.
One of StilachiRAT’s most concerning features is its capability for system reconnaissance. The malware collects detailed information about infected devices, such as operating system data, hardware identifiers, and active applications.
Additionally, Microsoft revealed that the malware also monitors Remote Desktop Protocol sessions, allowing attackers to impersonate users and spread laterally across networks.
While noting that the malware is not yet widespread, Microsoft has harped on the importance of proactive defence by crypto users and other potential victims of the malware.
It cautioned: “Malware like StilachiRAT can be installed through multiple vectors; therefore, it is critical to implement security hardening measures to prevent the initial compromise.”
The company further clarifies that StilachiRAT can launch various commands received from the C2 server. These commands include system reboot, log clearing, credential theft, executing applications, and manipulating system windows.
Additionally, the malware can suspend the system, modify Windows registry values, and enumerate open windows, indicating a versatile command set for both espionage and system manipulation. The C2 server’s command structure assigns specific numbers to what commands it will initiate.
To mitigate risks, Microsoft recommended several measures, including downloading software only from official sources, enabling Microsoft Defender real-time protection, turning on cloud-delivered security, and utilising SmartScreen to block malicious websites.
