New multi-platform malware targets crypto-currency users

Security researchers have discovered a new remote access trojan (RAT) with one year of hidden operations, which empties the coin purses of thousands of users.

A new RAT remote access Trojan used to empty the crypt coin purses of thousands of users was discovered this past December by the security firm Intezer Labs.

Named ElectroRAT, security researchers claim that the multi-platform RAT malware is written in Golang, and was used as part of a campaign that has targeted thousands of crypto-currency users, with the aim of emptying the wallets of Windows, Linux and MacO users.

The campaign was discovered in December 2020, but the company points out that this was a one-year undercover malware operation in which cyber-hackers created fake crypto-currency applications to trick users into installing a new strain of malware on their systems.

The cyber-attackers behind the ElectroRAT operation created and injected their RAT into customized electronic applications designed to look and behave like crypto trading management tools (Jamm and eTrade) and as a crypto poker application (DaoPoker) which came in Windows, Mac and Linux versions.

Thousands of infected users

Once logged into the victim’s computer, explain Intezer Labs‘ security experts, these applications would display a user interface in the first instance to divert victims‘ attention from the malicious process and in the background ElectroRAT.

They also believe that the malware was being used to extract keys from crypto wallets and then drain the victim’s accounts.

The new ElectroRAT malware is extremely invasive, with a wide variety of capabilities shared by its Windows, Linux and MacOS variants, including „key logging, screen capture, file upload from disk, file download and command execution in the victim’s console“, according to investigators.

„It is very rare to see an ARP written from scratch and used to steal personal information from crypto-currency users“ (…) „It is even rarer to see a campaign so broad and targeted that it includes several components, such as fake applications and websites, and marketing/promotion efforts through relevant forums and social networks“, concludes Intezer Labs.

To spread the applications and attract potential victims, the threat actors promoted the Trojan applications in social networks, through advertisements in different social networks and in online forums related to crypto-currencies and block chains such as, Bitcoin Legacy and SteemCoinPan, according to the security firm.

Such applications were downloaded by thousands of users between January and December 2020, and due to a feature in the malware’s design, the address of its command and control server URL was recovered from Pastebin, which according to Intezer Labs, this operation infected 6,500 users over the course of the year.