Microsoft Uncovers StilachiRAT: A New Remote Access Trojan Targeting Cryptocurrency Wallets
In a blog post released by Microsoft’s Incident Response Team yesterday, a new type of remote access Trojan called StilachiRAT was revealed. This malware has multiple data theft capabilities, including the ability to retrieve user credentials stored in browsers, steal cryptocurrency wallet information, monitor and extract clipboard data, and more. It has been discovered to target cryptocurrency wallet extensions within the Chrome browser, affecting up to 20 popular Chrome wallet extensions, including OKX Wallet and MetaMask.
Background: North Korean Hacker Group Lazarus Behind Web3’s Largest Heist
Additional Context: In-Depth Analysis of Bybit’s Biggest Hack Ever, How Can Industry Security Improve?
On March 17, tech giant Microsoft published an announcement revealing a new remote access Trojan named StilachiRAT. This malicious software can target cryptocurrency wallet extensions within the Chrome browser, potentially affecting up to 20 major wallet extensions used by Chrome.
Wallets Affected Include OKX, MetaMask, and More
According to a report posted by Microsoft’s Incident Response Team, StilachiRAT was first discovered in November of last year and is capable of stealing multiple types of data. These include retrieving user credentials saved in browsers, stealing cryptocurrency wallet information, monitoring and extracting clipboard data, and more.
After StilachiRAT is deployed, the Trojan scans the user’s device to check if 20 types of cryptocurrency wallet extensions, such as Coinbase Wallet, Trust Wallet, MetaMask, or OKX Wallet, are installed. Upon finding a target, it initiates the data theft process.
The List of 20 Affected Wallets Includes:
- Bitget Wallet
- Trust Wallet
- TronLink
- MetaMask (Ethereum)
- TokenPocket
- BNB Chain Wallet
- OKX Wallet
- Sui Wallet
- Braavos
- Coinbase Wallet
- Leap Cosmos Wallet
- Manta Wallet
- Keplr
- Phantom
- Compass Wallet
- Math Wallet
- Fractal Wallet
- Station Wallet
- ConfluxPortal
- Plug
In addition to directly stealing wallet information, StilachiRAT can also:
- Extract saved credentials from Google Chrome’s local state files
- Monitor clipboard activity
- Intercept sensitive information such as passwords and cryptographic keys
- Use anti-detection techniques such as clearing event logs and detecting sandbox environments to avoid security analysis
Currently, StilachiRAT Has Not Spread Widely
Additionally, Microsoft has stated that the identity of the developers behind this malicious software is still unknown. However, based on existing monitoring data, StilachiRAT has not spread on a large scale. Nevertheless, due to the Trojan’s stealthy nature and the rapidly evolving landscape of malicious software, the Microsoft team decided to publicly share this information:
“Given StilachiRAT’s high degree of stealth and the rapidly changing nature of the malware ecosystem, we have decided to publicly share these findings as part of our ongoing effort to monitor, analyze, and report on the evolving threat landscape.”
Security Recommendations from Microsoft:
- Install and keep antivirus software updated
- Enable cloud-based anti-phishing and anti-malware protection
- Regularly check the security status of your devices
In the dark corners of the cryptocurrency world, cases of user accounts being hacked are frequent. We remind readers not to grant wallet permissions casually, avoid clicking on suspicious links, and regularly check their computer security. Always stay security-conscious when interacting with wallets.
