Microsoft identifies new RAT targeting cryptocurrency wallets and more

Microsoft has identified a previously unknown remote access trojan, dubbed StilachiRAT, that employs advanced techniques to evade detection and maintain persistence on infected systems.

The malware is designed to exfiltrate a wide range of sensitive data, including configuration files from 20 cryptocurrency wallet extensions for the Google Chrome browser. Among the targeted wallets are MetaMask, Coinbase Wallet, Trust Wallet, and TronLink. 

StilachiRAT can also extract and decrypt saved credentials from Chrome, giving attackers access to stored usernames and passwords, Microsoft said.

Beyond stealing credentials, the malware gathers extensive system information, monitors clipboard activity for sensitive data such as passwords and cryptocurrency keys, and tracks active windows and applications, the report said.

To avoid detection, StilachiRAT deletes system logs and checks the computer’s settings before executing its commands.

Microsoft has not traced the malware to any known threat actor or geographic region, and its distribution appears to be limited at this stage. However, researchers decided to share their findings due to the malware's stealthiness and its ability to collect a wide range of data.

StilachiRAT can execute a variety of commands received from its command-and-control (C2) server. These include rebooting the system, clearing logs, stealing credentials, launching applications, and manipulating system windows.

The malware can also suspend the system and modify Windows registry settings, highlighting its potential for both espionage and system manipulation, Microsoft said.