Posted on January 6, 2021 at 2:27 PM
Security researchers at Intezer have discovered a large scale malware operation that targets cryptocurrency users using a new RAT named ElectroRAT.
The researchers discovered this operation on December 4, although the operation has been active since January last year, according to the report.
The malware campaign seems sophisticated and a fully-fledged marketing campaign using crypto-based applications and the ElectroRAT ransomware.
ElecroRAT is written in the Golang language and designed to target different operating systems, including macOS, Linux, and Windows, according to the Intezer researchers.
Attacking technique is rare
The researchers also stated that it’s not rare to see different information stealers trying to steal the private keys of victims to access their crypto wallets. But what they don’t find common is for the threat actors to build fresh tools designed from scratch and utilized for targeting different operating systems.
Most tools are designed to target a specific operating system and may not work for other systems. However, the researchers were surprised the new ElectroRAT tool is build with the capacity of targeting multiple operating systems, which makes it very dangerous.
Malware has hidden operational capabilities
Once the malicious app is installed, it creates a genuine user interface. But in the real sense, the ElectroRAT malware operates unnoticed as “mdworker” in the background. It has had the intrusive ability to capture malicious commands on the victim’s system.
Another interesting thing is the fact that the particular Golang malware used in the attack has not been discovered before. As a result, security systems may not know how to deal with the malware even when they are discovered.
The fact that the malware is new has made it possible to stay under the radar for more than a year while evading all antivirus detections.
Victims urged to delete all malware-infected files
The researchers have asked users who have fallen victim to the malware campaign to delete all the files linked to the malware and kill all the process. They should also change their passwords and move the funds to another address.
According to Intezer Labs, the hackers used three cryptocurrency-related fake applications to carry out their scheme. The apps include DaoPoker, eTrader, and Jamm, which were hosted on dedicated sites at daopker[.]com, kintum[.]io, and jamm[.]to respectively.
The first app claims to be a cryptocurrency poker app while the last two apps claim to offer a simple platform for cryptocurrency.
Each of the developed fake apps has a Mac, Linux, and Windows version with its binaries hosted on sites specifically launched for the malware campaign.
The hackers have even gone ahead to advertise the apps on several blockchains and crypto-related forums like SteemCoinPan and bitcointalk.
The hackers also created Telegram and Twitter profiles for the “DaoPoker” app and employed a social media influencer to promote the app on social media platforms.
When the application infiltrates the victim’s computer, their background user-interface deceives the victim from suspecting it as malware.
ElectroRAT has several capabilities
The researchers said ElectroRAT malware is very intrusive and has different capacities on the victim’s computer. It can execute commands on the victim’s console, download files, upload files from disk, take screenshots, as well as perform keylogging activities.
The worst part is the fact that the malware can steal all funds from any wallet stored on the victim’s computer.
Intezer Labs researchers said the attackers are using the malware to drain victims’ accounts by stealing their cryptocurrency wallet keys.
Thousands of users already infected
The researchers analyzed unique visitors to the Pastebin pages used in locating C2 servers and found that the malware had already compromised thousands of Victim’s wallets.
As a result of the peculiarity of the malware’s design, which accessed the address of its command and control server, the researchers think the hackers have already infected more than 6,000 users, based on the number of times they accessed the Pastebin URLs.
The researchers have also advised crypto users who lost their funds but couldn’t identify the source of the compromise to verify whether they have installed any of the three malicious apps.