Microsoft Warns of Trojan Targeting Cryptocurrency Wallets
Researchers from Microsoft Incident Response have identified a new remote access trojan (RAT) named StilachiRAT, aimed at stealing cryptocurrencies and user credentials.
The malware targets 20 different extensions in the Google Chrome browser, including MetaMask, Coinbase Wallet, Trust Wallet, OKX Wallet, Bitget Wallet, and Phantom. Simultaneously, StilachiRAT extracts and decrypts saved logins and passwords.
The trojan not only infects devices but actively studies them. The malicious program gathers system information, including hardware data, active RDP sessions, installed applications, and checks for connected cameras. Additionally, it records user behavior, after which all information is sent to a command server.
One of the key threats posed by the malware is its ability to entrench itself in the system by manipulating Windows services. This allows it to maintain control over the device for an extended period, complicating detection and removal.
StilachiRAT connects to remote command servers via TCP ports 53, 443, and 16,000. This gives attackers the ability to execute commands, including system reboot, log deletion, and registry management. The trojan employs anti-forensic tactics to avoid detection, such as clearing event logs.
Microsoft emphasized that StilachiRAT poses a high level of risk. To reduce the likelihood of infection, it is recommended to use official sources for software downloads, web browsers with SmartScreen support, and enable safe links for Office 365.
Users of Microsoft Defender XDR can refer to the list of applicable detections, including TrojanSpy:Win64/Stilachi.A, and use search queries to identify related activity within their networks.
In a comment to ForkLog, representatives of the Bitget cryptocurrency exchange clarified that they have not found vulnerabilities in Bitget Wallet related to StilachiRAT. Nevertheless, they urged users to “take proactive measures to protect their assets.”
“To enhance the security level of Bitget Wallet, we recommend users exercise caution when clicking on links and downloading files, avoid copying and pasting private keys, enable biometric authentication, regularly update antivirus software — including Windows Defender, which now detects Win64/Stilachi.A — and always verify wallet addresses before confirming transactions to prevent clipboard data interception,” Bitget emphasized.
Back in December 16, 2024, a researcher from SlowMist reported that the code for the macOS Stealer Trojan targeting bitcoin wallets had been leaked publicly. According to the expert, the malware became free and could be used by a larger number of attackers.
Рассылки ForkLog: держите руку на пульсе биткоин-индустрии!