Microsoft has identified a new remote access trojan (RAT) named StilachiRAT, which they say poses a significant threat to cryptocurrency users.Â
First detected in November 2024, this malware employs advanced techniques to evade detection, maintain persistence, and exfiltrate sensitive data from compromised systems.
Notably, it specifically targets cryptocurrency assets by scanning for configuration data of 20 different wallet extensions within the Google Chrome browser. These targeted wallets include MetaMask, Trust Wallet, Coinbase Wallet, Phantom Wallet, BNB Chain Wallet, OKX Wallet, and others.
Capabilities and Targets
StilachiRAT is designed to conduct extensive system reconnaissance, collecting information such as operating system details, hardware identifiers, BIOS serial numbers, camera presence, active Remote Desktop Protocol (RDP) sessions, and running graphical user interface applications.
In addition to cryptocurrency theft, StilachiRAT can extract and decrypt credentials stored in Google Chrome, monitor clipboard content for sensitive data such as passwords and cryptocurrency keys, and track active windows and applications. The malware also monitors RDP sessions by capturing foreground window information and duplicating security tokens to impersonate users, potentially facilitating lateral movement within networks.
Persistence and Evasion Techniques
To maintain persistence, StilachiRAT can operate either as a Windows service or a standalone component, employing watchdog threads that monitor its presence and recreate its files if they are removed. The malware establishes communication with its command-and-control (C2) servers using commonly used TCP ports like 53 and 443, allowing it to receive commands such as system reboots, log clearing, registry manipulation, application execution, and system suspension. ​
Microsoft says StilachiRAT employs various anti-forensic and evasion tactics, including clearing event logs to erase evidence, detecting forensic tools and virtual machines to avoid analysis, and implementing sandbox-evading behaviors to prevent detection. These stealthy approaches make it difficult to detect and remove once a system is compromised.
Mitigation Strategies
To protect against StilachiRAT, security experts recommend several measures:​
-
Keep software and operating systems updated: Regularly apply patches to address known vulnerabilities.​
-
Use reputable security software: Implement comprehensive security solutions that include antivirus and endpoint detection and response capabilities.​
-
Enable Multi-Factor Authentication (MFA): Adding an extra layer of security can prevent unauthorized access.​
-
Exercise caution with downloads and links: Avoid unverified downloads and be wary of clicking on suspicious links.​
-
Monitor system logs: Regularly review logs for unauthorized changes or unusual activity.​
For cryptocurrency users, it is particularly important to be aware of the risks associated with browser-based wallets, which store private keys in software and are vulnerable to malware attacks.
Security experts emphasize that the safest way to protect crypto holdings is to store private keys in a hardware wallet or with a qualified custodian. Unlike software-based wallets, hardware wallets store private keys in a secure chip, require physical confirmation for transactions, and are immune to clipboard hijacking and keylogging attacks. ​
