Microsoft Uncovers StilachiRAT Malware Targeting Cryptocurrency Wallets

Microsoft's Incident Response Team has uncovered a new type of malware designed to steal cryptocurrency. The remote access trojan, named StilachiRAT, was first detected in November 2024 and targets cryptocurrency wallets through google Chrome browser extensions. The malware is capable of stealing sensitive information such as saved login credentials, digital wallet details, and data copied to the clipboard. StilachiRAT specifically looks for 20 different cryptocurrency wallet extensions, including popular ones like coinbase Wallet, Trust Wallet, MetaMask, and OKX Wallet.

Once installed, StilachiRAT scans the device settings to check for the presence of any targeted wallet extensions. It employs various methods to steal information, including extracting credentials saved in Chrome’s local state file and monitoring clipboard activity to capture sensitive information like passwords and crypto keys. The malware also has features to avoid detection, such as the ability to clear event logs and check if it’s running in a test environment to block analysis attempts.

StilachiRAT gathers extensive system information, including operating system details, hardware identifiers, and camera presence. It creates a unique identification on infected devices derived from the system’s serial number and attackers’ public RSA key. The malware connects to remote command-and-control servers using TCP ports 53, 443, or 16000, selected randomly for communication. It checks for the presence of monitoring tools and delays its initial connection by two hours to avoid detection during security scans. StilachiRAT can be launched both as a Windows service or a standalone component and has mechanisms to ensure it isn’t removed from the system. A watchdog thread monitors both the EXE and dynamic link library files, allowing them to be recreated from an internal copy if deleted.

The malware can execute various commands received from the control servers, including system reboots, log clearing, credential theft, and executing applications. It can also suspend the system, modify Windows registry values, and monitor open windows, demonstrating a versatile command set for both spying and system control. microsoft recommends several protection measures, including having antivirus software and cloud-based anti-phishing components on devices, downloading software only from official websites or trusted sources, and using browsers that support SmartScreen to identify and block malicious websites. For organizations using Office 365, Microsoft advises enabling Safe Links and Safe Attachments for additional protection against malicious content.

Microsoft has not been able to identify the creators of StilachiRAT or link it to any specific threat actor or location. Although the malware does not appear to be widespread at the moment, the company has shared its findings to help protect users from this emerging threat. The rise of StilachiRAT comes amid increasing cryptocurrency-related crime, highlighting the need for enhanced security measures to prevent initial compromise and reduce the potential impact of such threats. Microsoft continues to monitor information about how StilachiRAT spreads and emphasizes the importance of security hardening measures to protect against evolving threats.

Ask Aime: What is the potential impact of the StilachiRAT malware on the cryptocurrency market?