Hackers target cryptocurrency users with new ElectroRAT malware


Image: Intezer Labs

Security firm Intezer Labs said it discovered a covert year-long malware operation where cybercriminals created fake cryptocurrency apps in order to trick users into installing a new strain of malware on their systems, with the obvious end goal of stealing victims’ funds.

The campaign was discovered last month in December 2020, but researchers said they believe the group began spreading their malware as early as January 8, 2020.

Intezer Labs said the hackers relied on three cryptocurrency-related apps for their scheme.

The fake apps were named JammeTrade/Kintum, and DaoPoker, and were hosted on dedicated websites at jamm[.]tokintum[.]io, and daopker[.]com, respectively.

The first two apps claimed to provide a simple platform to trade cryptocurrency, while the third was a cryptocurrency poker app.

All three apps came in versions for Windows, Mac, and Linux, and were built on top of Electron, an app-building framework.

But Intezer researchers say the apps also came with a little surprise in the form of a new malware strain that was hidden inside, which the company’s researchers named ElectroRAT.

“ElectroRAT is extremely intrusive,” researchers said today in a report shared with ZDNet. “It has various capabilities such as keylogging, taking screenshots, uploading files from disk, downloading files, and executing commands on the victim’s console.”

electrorat.png

Image: Intezer Labs

Intezer researchers believe the malware was being used to collect cryptocurrency wallet keys and then drain victims’ accounts.

To spread the trojanized applications, Intezer says the hackers posted ads for the three apps and their websites on niche cryptocurrency forums, or they used social media accounts.

Because of a quirk in the malware’s design, which retrieved the address of its command and control server from a Pastebin URL, Intezer believes this operation infected around 6,500 users — the total number of times the Pastebin URLs were accessed.

electrorat-pastebin.png

Image: Intezer Labs

Cryptocurrency users who lost funds over the past year but did not identify the source of their breach should check to see if they have downloaded and installed any of the three apps mentioned in this article.

As a side note, Intezer Labs also pointed out that ElectroRAT was written in Go, a programming language that has slowly become more popular with malware authors over the past year.

The reasons for Go’s rising popularity among malware authors are many and include the fact that detection of Go malware is still spotty, analyzing Go malware is usually more complicated than malware written in C, C++ or C#, and that Go also allows operators to easily compile binaries for different platforms easier than other languages, allowing malware operators to create multi-platform malware easier than before.