Microsoft has alerted users to a newly identified malware, StilachiRAT.
In an announcement, Microsoft described StilachiRAT as a remote access trojan (RAT) with advanced capabilities to evade detection and steal data.
StilachiRAT targets cryptocurrency wallets and collects sensitive browser information, including data from Google Chrome.
The malware poses significant risks to cryptocurrency users by actively scanning for wallet extensions in Chrome, targeting at least 20 wallets such as MetaMask, Trust Wallet, Phantom, Coinbase, BNB Chain, and Bitget Wallet.
Once it identifies wallet extensions, StilachiRAT extracts credentials and configuration details, enabling attackers to drain funds from victims’ wallets.
StilachiRAT also monitors clipboard activity, searching for cryptocurrency keys or passwords that users may have copied. This makes it a serious security threat for digital asset holders.
- The malware grants attackers the ability to execute remote commands, clear logs, and manipulate registry settings to maintain persistent access. It uses anti-forensic techniques, including identifying analysis tools and delaying execution, to bypass security defences.
- One of StilachiRAT’s most concerning features is its capability for system reconnaissance. The malware collects detailed information about infected devices, such as operating system data, hardware identifiers, and active applications.
Additionally, it monitors Remote Desktop Protocol sessions, allowing attackers to impersonate users and spread laterally across networks.
While the malware is not yet widespread, Microsoft has emphasised the importance of proactive defence. “Malware like StilachiRAT can be installed through multiple vectors; therefore, it is critical to implement security hardening measures to prevent the initial compromise,” the company warned.
StilachiRAT can launch various commands received from the C2 server. These commands include system reboot, log clearing, credential theft, executing applications, and manipulating system windows.
Additionally, it can suspend the system, modify Windows registry values, and enumerate open windows, indicating a versatile command set for both espionage and system manipulation. The C2 server’s command structure assigns specific numbers to what commands it will initiate.
To mitigate risks, Microsoft recommended several measures such as downloading software only from official sources, enabling Microsoft Defender real-time protection, turning on cloud-delivered security, and utilising SmartScreen to block malicious websites.
