Microsoft detects new RAT targeting crypto wallets

Microsoft has raised alarms about StilachiRAT, a sophisticated malware targeting cryptocurrency data, and although its distribution is limited, its potential to steal valuable data prompted Microsoft to share findings with cybersecurity experts

Microsoft has uncovered a previously unknown remote access trojan (RAT), named StilachiRAT, designed to steal sensitive data while evading detection. The malware primarily targets cryptocurrency wallets and is capable of infiltrating systems to exfiltrate a variety of data, including usernames, passwords, and cryptocurrency keys.

StilachiRAT is specifically designed to steal information from 20 popular cryptocurrency wallet extensions for Google Chrome, such as MetaMask, Coinbase Wallet, Trust Wallet, and TronLink. By extracting configuration files from these wallets, the malware gives attackers access to users’ cryptocurrency accounts. Additionally, it has the ability to decrypt and steal saved credentials from Chrome’s password manager, further compromising users’ online security.

In addition to stealing credentials, StilachiRAT is capable of gathering extensive system data, monitoring clipboard activity for sensitive information like passwords or cryptocurrency keys, and tracking open windows and active applications. These capabilities allow the malware to provide attackers with comprehensive insight into user activities and stored sensitive data.

StilachiRAT malware poses stealthy threat

What makes StilachiRAT particularly dangerous is its ability to evade detection. The malware deletes system logs and checks system settings before executing its malicious commands, making it difficult for traditional security software to recognize and remove it. This ensures that the trojan remains persistent on the infected system without raising alarms.

While Microsoft has not identified a specific threat actor or region tied to StilachiRAT, it has raised red flags due to its sophisticated nature and focus on cryptocurrency-related data. The malware’s distribution appears to be limited for now, but its potential for stealing highly valuable data has led Microsoft to share its findings with the cybersecurity community.

StilachiRAT can execute a variety of remote commands, including rebooting the system, stealing credentials, launching applications, and manipulating system windows. It also has the ability to modify Windows registry settings and suspend the system, making it a tool for espionage and system manipulation.

The discovery of StilachiRAT serves as a critical reminder for users, particularly cryptocurrency holders, to implement strong security practices and be vigilant against emerging cyber threats.