New Malware Draining Crypto Wallets Through Google Chrome

A new malware named StilachiRAT is targeting cryptocurrency users, specifically draining digital wallets by bypassing Google Chrome’s encryption and monitoring clipboard activity. Cybersecurity experts warn that this malware poses a significant threat to crypto holders, as it is designed to steal wallet credentials and financial data.

How StilachiRAT Works

StilachiRAT has been found to target over 20 different cryptocurrency wallet extensions, including major platforms such as Bitget Wallet (formerly Bitkeep), Trust Wallet, Metamask (Ethereum), Coinbase Wallet, and Phantom. By infiltrating these wallets, attackers can gain access to private keys, seed phrases, and other sensitive information, compromising users’ funds.

What makes StilachiRAT particularly dangerous is its capability to bypass Chrome’s encryption mechanisms. The malware extracts Chrome’s encryption key from the local state file of a user’s directory. Since this key is encrypted when Chrome is installed, StilachiRAT uses Windows API functions to decrypt the key in the current user’s context. This allows hackers to retrieve stored login credentials from the browser’s password vault.

Once hackers access login credentials, they can exploit financial accounts beyond cryptocurrency wallets, posing a broader financial risk.

Clipboard Monitoring and Transaction Interception

Another alarming aspect of StilachiRAT is its ability to monitor clipboard activity continuously. Many cryptocurrency users copy and paste wallet addresses for transactions, but StilachiRAT uses clipboard monitoring to detect these addresses. When it recognizes a copied wallet address, the malware replaces it with an attacker-controlled address. This means that users may unknowingly transfer their crypto funds directly to cybercriminals.

This malicious tactic is difficult for victims to detect, as the address displayed during the transaction might appear legitimate. By the time users realize the mistake, the funds are often irreversibly lost.

Establishing a Command-and-Control Connection

StilachiRAT also sets up a command-and-control (C2) connection, enabling attackers to execute commands remotely. Through this connection, hackers can manipulate system processes, maintain persistence, and evade detection. Even if users identify and remove the malware, the C2 connection allows attackers to reinfect the device or steal additional data.

How to Stay Safe from StilachiRAT

To mitigate the risk of this malware, cybersecurity experts recommend the following steps:

• Use Trusted Security Solutions: Enable protections like Microsoft Defender to detect and block malware.
• Avoid Suspicious Downloads: Only download software and browser extensions from official sources.
• Enable Two-Factor Authentication (2FA): Add an extra layer of security to your accounts.
• Regularly Monitor Account Activity: Check for unauthorized transactions and report any suspicious activity immediately.
• Verify Wallet Addresses: Always double-check copied wallet addresses before confirming a transaction.

Conclusion

As the cryptocurrency landscape continues to grow, so does the number of cyber threats. Malicious software like StilachiRAT highlights the importance of adopting robust cybersecurity practices. Staying vigilant, using reliable security tools, and verifying all financial transactions can go a long way in protecting your digital assets from cybercriminals.

Disclaimer:

This article is for informational purposes only and does not constitute financial or cybersecurity advice. Readers are advised to conduct their own research and seek professional assistance if they suspect any malicious activity on their devices.