Novel Malware StilachiRAT Targets Cryptocurrency Wallets, Microsoft Says

• A new Remote Access Trojan scans for crypto wallet credentials after infecting victim machines.
• Its primary functionalities include system profiling, digital wallet attacks, credential theft, C2 communication, and clipboard monitoring.
• StilachiRAT’s capabilities make it a powerful tool for cybercriminals seeking to exploit financial data and compromise organizational networks.

A new and highly sophisticated remote access trojan (RAT), called StilachiRAT, poses significant threats to organizations and individual users due to its advanced evasion techniques, persistent mechanisms, and capabilities for stealing sensitive data.

Microsoft Incident Response has identified that StilachiRAT utilizes multiple methods to infiltrate and exploit its targets, as detailed in an extensive security analysis. 

It displays persistence mechanisms by leveraging Windows service control manager (SCM) and watchdog threads, enabling malware reinstatement if removed, and anti-forensics and detection evasion via sandbox-evading techniques, log clearing, and API obfuscation methods to avoid identification.

The malware conducts extensive system reconnaissance by collecting operating system details, hardware identifiers, and information about running applications and active RDP sessions.  

The RAT actively scans clipboard content, searching for sensitive information like passwords and cryptocurrency keys to exfiltrate, and extracts and decrypts saved credentials from Google Chrome’s password vault using Windows APIs that leverage the current user’s authentication context.

One of StilachiRAT's standout features is its targeted attack on cryptocurrency wallets managed via browser extensions. Its ability to scan configuration data and clipboard activity tied to cryptocurrency keys increases the risk of significant financial theft. 

It specifically targets over 20 cryptocurrency wallet extensions in Google Chrome – associated with the Tron Cryptocurrency blockchain that is popular in Asia, especially in China – enabling the theft of configuration data and private keys. 

It can also communicate with remote command-and-control (C2) servers to execute commands, such as system reboots, log clearing, registry manipulations, and application executions. 

In another case last year, a new RAT infected Android devices via smishing, aiming for Account Takeover (ATO) via a well-known technique called On Device Fraud (ODF).