Microsoft: New Virus StilachiRAT Targets MetaMask, Trust Wallet, and Other Crypto Wallets on NFT.EU

Microsoft has discovered a new Trojan, StilachiRAT, designed to attack cryptocurrency wallets integrated into the Google Chrome browser. This malware can steal user data, including access to digital assets.

According to Microsoft’s cybersecurity team, StilachiRAT targets 20 different cryptocurrency wallet extensions, including MetaMask, Coinbase Wallet, Trust Wallet, OKX Wallet, Bitget Wallet, and Phantom.

How StilachiRAT Works

Microsoft researchers found that StilachiRAT employs advanced obfuscation techniques to evade detection and includes mechanisms for intercepting sensitive data. Once a system is infected, it becomes vulnerable to remote control by cybercriminals.

The key functionalities of StilachiRAT include:

System Information Collection. The malware gathers details about the operating system, hardware specifications, presence of a camera, active RDP sessions, and currently running applications.
Cryptocurrency Wallet Data Theft. StilachiRAT scans for configuration files of browser-based crypto wallets and attempts to extract private keys and other sensitive data.
Credential Theft. The Trojan is capable of extracting and decrypting passwords stored in Google Chrome.
Remote Administration. The virus establishes a connection with command-and-control (C2) servers through ports 53, 443, and 16000, allowing attackers to execute commands on the infected device.
RDP Session Monitoring. StilachiRAT monitors Remote Desktop Protocol (RDP) sessions, potentially giving attackers access to corporate networks and sensitive systems.
Clipboard Hijacking. The Trojan scans data copied to the clipboard, looking for cryptocurrency private keys, passwords, and addresses.

Which Wallet Extensions Are at Risk

According to analysts, StilachiRAT specifically targets Google Chrome users and attacks 20 popular cryptocurrency wallet extensions, including:

MetaMask (Ethereum)
Coinbase Wallet
Trust Wallet
OKX Wallet
Bitget Wallet
Phantom (Solana)
BNB Chain Wallet
Keplr (Cosmos)
TronLink (Tron)
TokenPocket
Sui Wallet
Math Wallet
And other major Web3 wallets

This means that users of these wallets are at risk of data breaches and potential asset theft.

How StilachiRAT Infects Systems

Microsoft has not yet identified the exact source of distribution, but preliminary analysis suggests that StilachiRAT spreads through:

Infected installation files of popular software
Phishing websites that mimic legitimate crypto platforms
Malicious links shared via email, social media, or messaging apps

One of the major concerns is that StilachiRAT uses anti-detection techniques to bypass antivirus programs, making it a stealthy and dangerous threat.

How to Protect Yourself from StilachiRAT

Microsoft recommends the following security measures to protect against StilachiRAT:

Download software only from trusted sources. Avoid installing crypto wallets or browser extensions from unverified or unofficial websites.
Keep antivirus software up to date. Microsoft Defender has been updated to detect and block StilachiRAT. Ensure your security software is up to date.
Disable password auto-save in Google Chrome. Use password managers with local encryption instead of storing credentials in the browser.
Review wallet extension permissions. Check the permissions granted to your crypto wallet extensions and limit access to sensitive data when possible.
Monitor your system for suspicious activity. Run a security scan to detect suspicious processes or unexpected network activity, particularly those involving C2 server connections.

Microsoft security experts have emphasized that StilachiRAT is not yet widespread, but its sophisticated evasion mechanisms indicate that it could become a larger threat in the future. Crypto wallet users should remain vigilant and implement strong security practices to mitigate risks.

How StilachiRAT Works

Which Wallet Extensions Are at Risk

How StilachiRAT Infects Systems

How to Protect Yourself from StilachiRAT

Comments

0