Microsoft recently revealed a new type of Remote Access Trojan (RAT) called StilachiRAT, which specifically targets cryptocurrency wallet extensions in the Chrome browser to steal user data and assets.
Since November 2024, security experts have been investigating the source of this malware and have warned that it poses a significant threat to the asset security of cryptocurrency holders.
Logic of malware operation
Reports indicate that StilachiRAT can not only extract credentials stored in browsers and scan devices for cryptocurrency wallet extensions but also intercept sensitive information such as private keys and passwords. This malware specifically targets at least 20 cryptocurrency wallets for malicious attacks, including Bitget Wallet, Trust Wallet, Coinbase Wallet, MetaMask, TronLink, BNB Chain Wallet, and OKX Wallet. Once deployed, it can steal stored digital assets by accessing clipboard data and extracting private credentials.
The study shows that StilachiRAT not only operates stealthily but also uses various evasion techniques to avoid detection. It self-installs through the infected library file WWStartupCtrl64.dll, executing remote commands to manipulate the infected system. Once activated, it scans for cryptocurrency wallet extensions in the device and extracts saved credentials from Google Chrome's local state file.
Additionally, one of the key features of this malware is monitoring clipboard activity, which means that if a user copies and pastes a cryptocurrency wallet address or password, StilachiRAT can capture that information and redirect it to the attacker.
The research also found that this Trojan has anti-forensic capabilities, such as clearing event logs and detecting sandbox environments to avoid analysis by cybersecurity researchers.
Proactive prevention and security recommendations
Currently, Microsoft has not attributed this attack to any specific hacker organization but has warned that due to the nature of the malware ecosystem, StilachiRAT could rapidly evolve and spread.
Microsoft stated in a blog post that, based on current visibility, this malware has not shown widespread distribution; however, its stealth capabilities and the rapid evolution of the malware ecosystem require them to share these findings as part of ongoing monitoring, analysis, and reporting on the evolving threat landscape.
Moreover, to avoid becoming a victim of StilachiRAT and similar threats, Microsoft recommends installing antivirus software, enabling cloud-based anti-phishing and anti-malware protection, and ensuring that all browser extensions come from trusted sources.
At the same time, users should also be cautious when copying and pasting wallet addresses and passwords, as malware like StilachiRAT specifically exploits clipboard data.
Conclusion:
In this rapidly evolving era of hacking technology, cybersecurity challenges in the cryptocurrency field are becoming increasingly severe. Microsoft's discovery not only serves as a wake-up call but also reminds investors and everyday users to remain vigilant and protect their privacy and digital asset security.
At the same time, it is crucial for investors to take proactive security measures, whether by using antivirus software, carefully selecting browser extensions, or avoiding copying and pasting sensitive information when operating wallets, to protect their digital assets. In the world of cryptocurrency, security is always the first line of defense.
