StilachiRAT comes after your credentials and crypto wallet, warns Microsoft

Microsoft’s Incident Response team has identified an advanced remote access trojan (RAT) known as StilachiRAT, which poses a critical threat to system security and cryptocurrency assets. First spotted in November 2024, StilachiRAT has sophisticated evasion mechanisms and persistence mechanisms.

What can StilachiRAT do?

• Data stealing: Credential theft stored in web browsers, digital wallet information access, clipboard data grab, and gathering detailed system information. The stored credentials are extracted from the following locations: %LOCALAPPDATA%\Google\Chrome\User Data\Local State – stores Chrome’s configuration data, including the encrypted key – %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data – stores entered user credentials.
• System reconnaissance: Collecting operating system information, hardware identifiers like BIOS serial numbers, camera presence detection, active Remote Desktop Protocol (RDP) session monitoring, and detection of running graphical user interface (GUI) applications.
• Cryptocurrency targeting: Scanning for configuration information of 20 different cryptocurrency wallet extensions utilized in the Google Chrome browser, including popular wallets MetaMask and Coinbase Wallet. It checks the settings in the following registry key to see if any of the extensions are installed: \SOFTWARE\Google\Chrome\PreferenceMACs\Default\extensions.settings

StilachiRAT features two-way communication with its command-and-control server, enabling it to:

• Display dialog boxes with text from specified URLs.
• Clear event log entries to hide its existence.
• Initiate system shutdowns through unknown Windows APIs.
• Establish new network connections as directed by the C2 server.
• Run specified applications on the infected system.
• Enumerate open windows to search for specified title bar text.
• Put the system into sleep or hibernation modes.
• Anti-Forensic Measures

To evade detection, StilachiRAT also employs anti-forensic measures such as wiping the event logs and regularly scanning for analysis tools and sandbox environments to render malware analysis challenging.

Follow these steps to keep your data safe

Given the advanced nature of StilachiRAT, Microsoft advises users:

• Keep up-to-date security software: Maintain antivirus and anti-malware software up to date to identify and prevent infections.
• Exercise caution with unsolicited messages: To prevent phishing attacks, be cautious of random messages or emails, especially those containing links or attachments.
• Regularly check cryptocurrency wallets: If you hold cryptocurrency assets, you must check your wallets for suspicious transactions.

Microsoft also shared some general guidelines that can help you keep your data safe:

General hardening guidelines:

• Ensure that tamper protection is enabled in Microsoft Dender for Endpoint.
• Run endpoint detection and response in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus does not detect the threat or when Microsoft Defender Antivirus is running in passive mode.
• Configure investigation and remediation in full automated mode to let Microsoft Defender for Endpoint take immediate action on alerts to resolve breaches, significantly reducing alert volume.
• Turn on Potentially unwanted applications (PUA) protection in block mode in Microsoft Defender Antivirus. PUA are a category of software that can cause your machine to run slowly, display unexpected ads, or install other software that might be unexpected or unapproved.
• Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques.
• Turn on Microsoft Defender Antivirus real-time protection.