StilachiRAT is a sophisticated remote access trojan (RAT) first identified by Microsoft’s Incident Response team in November 2024. This malware exhibits advanced capabilities to evade detection, maintain persistence, and exfiltrate sensitive data from compromised systems.
What does StilachiRAT do?
- Collects detailed system information, including operating system details, hardware identifiers, camera presence, active Remote Desktop Protocol (RDP) sessions, and running graphical user interface (GUI) applications.
- Extracts and decrypts credentials stored in the Google Chrome browser, gaining access to usernames and passwords.
- It continuously monitors clipboard content, actively searches for sensitive data like passwords and cryptocurrency keys, and tracks active windows and applications.
- Clears event logs and checks for analysis tools and sandbox environments to evade detection.
Crypto wallets being targeted by StilachiRAT
The following are the wallets Microsoft identified as being vulnerable to StilachiRAT. StilachiRAT targets a list of cryptocurrency wallet extensions for the Google Chrome browser.
- Bitget Wallet
- Trust Wallet
- TronLink
- Metamask
- TokenPocket
- BNB Chain Wallet
- OKX Wallet
- SUI Wallet
- Coinbase Wallet
- Leap Wallet
- Manta Wallet
- Kelpr
- Phantom
- Compass Wallet
- Math Wallet
- Fractal Wallet
- Station Wallet
- Conflux Portal
- Plug
It’s a bit worrisome that some of these wallets are the most commonly used ones in the Cryptocurrency world, for example, MetaMask, TokenPocket, OKX Wallet, Keplr, Bitget, and TronLink. These wallets need to always be the latest version, updated, and safe from attacks because this can lead to your information being sent out by the trojan without you knowing about it.
How to be safe from StilachiRAT on your Windows PC
To protect against threats like StilachiRAT, consider the following measures:
- Implement Security Hardening: Strengthen system defenses to prevent initial compromises, as malware like StilachiRAT can be installed through multiple vectors.
- Use Robust Security Solutions: Deploy comprehensive security software capable of detecting and mitigating advanced threats.
- Exercise Caution with Software Sources: Download software only from legitimate sources to reduce the risk of malware installation.
- Microsoft has also suggested that users enable tamper protection in Microsoft Dender for Endpoint.
- Run endpoint detection and response in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode.
Source: Microsoft
