Microsoft's Incident Response team discovered a novel remote access trojan (RAT) dubbed StilachiRAT, which exhibits advanced methods to avoid detection, maintain persistence, and exfiltrate sensitive data. The malware specifically targets cryptocurrency wallets and credentials stored in the Google Chrome browser.​

According to Microsoft's analysis, StilachiRAT collects extensive system information, including operating system details, hardware identifiers, active Remote Desktop Protocol (RDP) sessions, and running graphical user interface (GUI) applications.

It also scans for configuration data from 20 different cryptocurrency wallet extensions in Chrome, such as Coinbase Wallet, Trust Wallet, MetaMask, and OKX Wallet. Additionally, the malware extracts and decrypts saved credentials from Chrome, gaining access to usernames and passwords stored in the browser. 

According to the report, the malware establishes communication with remote command-and-control (C2) servers using TCP ports 53, 443, or 16000, enabling remote command execution and potential proxying. It supports various commands from the C2 server, including system reboots, log clearing, registry manipulation, application execution, and system suspension.

StilachiRAT achieves persistence through the Windows Service Control Manager and uses watchdog threads to ensure self-reinstatement if removed.

What Can Users Do?

To defend against such threats, Microsoft recommends downloading software only from official or reputable sources, using web browsers that support features like SmartScreen to identify and block malicious websites, and enabling security features such as Safe Links and Safe Attachments in Office 365.

Additionally, implementing security hardening measures, such as enabling tamper protection in Microsoft Defender for Endpoint and turning on cloud-delivered protection, can help prevent initial compromises by malware like StilachiRAT.

The emergence of StilachiRAT highlights the evolving tactics of cybercriminals, who are increasingly focusing on digital wallets due to the high value of cryptocurrencies. Users are advised to implement strong security protocols, regularly update software, use multi-factor authentication, and remain vigilant against phishing attempts to safeguard their digital assets.​