Microsoft's Incident Response team has uncovered a sophisticated new threat targeting digital currency holders. Identified in November 2024, StilachiRAT operates as a novel remote access trojan with advanced evasion capabilities, specifically designed to compromise cryptocurrency wallets. The malware functions through a DLL module named "WWStartupCtrl64.dll," though researchers have not yet determined its precise delivery mechanism.
StilachiRAT primarily targets Google Chrome browser extensions for cryptocurrency wallets, focusing on 20 specific extensions including popular options like Bitget, Trust Wallet, and MetaMask. Beyond wallet access, the malware also harvests Chrome-stored credentials, passwords, clipboard content, and detailed system information. This comprehensive data collection enables threat actors to potentially gain complete control over victims' cryptocurrency assets. Security experts strongly recommend memorizing critical passwords rather than saving them in browsers to enhance protection against such threats.
The sophisticated malware targets 20 cryptocurrency wallet extensions, harvesting credentials and system data to enable complete asset control by attackers.
The malware employs sophisticated techniques to gather sensitive information. It utilizes Component Object Model interfaces and WMI Query Language for system reconnaissance, while methodically extracting and decrypting saved credentials from Chrome. StilachiRAT continuously monitors clipboard content and tracks RDP sessions, capturing foreground window information to identify cryptocurrency-related activities. Field Effect's Security Intelligence team has implemented detection signatures to provide early warnings of potential infections.
Communication with command and control servers enables StilachiRAT to exfiltrate stolen data and receive operational instructions. The malware supports ten different commands for system manipulation, including displaying dialog boxes with remotely supplied HTML content and shutting down systems using undocumented Windows APIs. The threat is particularly dangerous for hot wallets due to their constant internet connection, making them more vulnerable than cold storage solutions.
Security researchers note that StilachiRAT employs multiple anti-detection strategies, including clearing event logs, continuous checks for analysis tools, and deliberate connection delays to evade security monitoring. These techniques specifically hinder activation in virtual environments commonly used for malware analysis.
To mitigate risks associated with StilachiRAT, experts recommend avoiding the storage of critical credentials in Chrome browser, implementing robust security measures against remote access trojans, maintaining current system patches, and utilizing reputable anti-malware solutions.
For those with significant cryptocurrency holdings, hardware wallets represent a more secure alternative to browser-based storage methods.
