Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs

Malware
(Image credit: Shutterstock)

Microsoft Incident Response has identified a new remote access trojan (RAT) that is capable of stealing a wide variety of information from your computer from passwords and cryptocurrency wallet information to operating system details, device identifiers, and even camera presence data.

The most sophisticated – and perhaps the most alarming – feature of this new malware is its ability to use watchdog threads to ensure self-reinstatement if removed. Basically, it can reinstall itself.

As reported by BleepingComptuer, the StilachiRAT is used to steal digital wallet data from multiple cryptocurrency wallets including Coinbase Wallet, Phantom, Trust Wallet, Metamask, OKX Wallet, Bitget Wallet and up to 20 others.

The malware also has sophisticated reconnaissance abilities and is able to steal information from an infected PC including credentials stored in your browser, clipboard data, system information, hardware identifiers, camera presence, active Remote Desktop Protocol (RDP) sessions, and running GUI-based applications.

StilachiRAT can extract credentials from Google Chrome's local state file using Windows APIs, monitor clipboard activity for password information and crypto keys and track active windows or applications. It uses the Windows service control manager (SCM) to maintain persistence and reinstalls it automatically when the malware notices its binaries are no longer active.

At the same time, StilachiRAT can monitor active RDP sessions by impersonating logged in users. It does this by capturing information from foreground windows then cloning security tokens. This allows attackers to move laterally through a victim’s network after the malware has been deployed on RDP servers that usually host admin sessions.

StilachiRAT can also evade detection and has anti-forensics features, such as the ability to clear event logs and check for signs that its running in a sandbox in order to block malware analysis attempts. If its tricked into running in a sandbox, the RAT’s API calls are encoded to slow down further analysis.

The StilachiRAT malware was first discovered back in November of last year. In a new blog post though, Microsoft says it has not yet reached widespread distribution, and that it doesn't have any information on a specific threat actor or a particular location of origin.

How to stay safe from StilachiRAT

Man stressed at computer

(Image credit: American Institute of Stress)

In order to avoid infection from this RAT, Microsoft’s advice is pretty simple: Make sure to only download software from official websites and use security software that can block malicious domains and email attachments.

That means you should install the best antivirus software on your PC and make sure you're keeping it up to date. You also want to know the common signs of phishing attacks such as misspelled domain names or email signatures, attachments from unknown senders, or messages that contain a sense of urgency or even threats of a legal nature that encourage you to click or download something.

Never click on something that you aren't expecting or don't know what it is or who sent it and when in doubt, contact the sender in a separate message or email. If a domain name or URL seems suspicious then go to it directly by typing it into the browser window instead of by clicking on a link. You can also use a VPN to protect your privacy further and a password manager to keep your passwords safe.

New malware strains like this one are created everyday but by practicing good cyber hygiene and staying up to date on the latest attack methods, you can avoid falling victim to StilachiRAT and other online threats.

More from Tom's Guide

Network
Arrow
Intego
Norton
Contract Length
Arrow
Showing 2 of 2 deals
Filters
Arrow
Amber Bouman
Senior Editor Security

Amber Bouman is the senior security editor at Tom's Guide where she writes about antivirus software, home security, identity theft and more. She has long had an interest in personal security, both online and off, and also has an appreciation for martial arts and edged weapons. With over two decades of experience working in tech journalism, Amber has written for a number of publications including PC World, Maximum PC, Tech Hive, and Engadget covering everything from smartphones to smart breast pumps. 

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users
Mobile malware
New malware uses infected VPN apps to take over your device — here's how to stay safe
and image of the Google Chrome logo on a laptop
Google Docs under attack from info-stealing malware — how to keep your data and your emails safe
Malware
New macOS malware uses Apple's own code to quietly steal credentials and personal data — how to stay safe
Green skull on smartphone screen.
This Android banking trojan steals passwords to take over your accounts — and all it takes is a single text message
MacBook Pro 2021 (16-inch) on a patio table
Millions of Mac owners urged to be on alert for info-stealing malware
Latest in Malware & Adware
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
A person on a laptop converting a PDF to a DOC
FBI issues warning over free online file converters that infect your PC with malware
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Green skull on smartphone screen.
Over 1 million Android devices infected with password-stealing, pre-installed botnet malware — how to stay safe
Latest in News
Hacker typing on laptop in darkened room
Hackers create "BRUTED" tool to attack VPNs – how to stay safe
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
(L-R) Mark Eydelshteyn as Vanya and Mikey Madison as Anora "Ani" Mikheeva in "Anora"
Hulu top 10 movies — here's the 3 you need to stream right now
A detail view of a Wilson basketball bearing the March Madness logo
March Madness LIVE: watch and stream NCAA basketball, odds and build-up to First Four
Twisters movie (2024)
Prime Video just added this action-packed thriller with Glen Powell — stream 'Twisters' now
Gemini screenshot image
Gemini just became the ultimate collaborator — everything you need to know about this huge new upgrade