A new RAT remote access Trojan that is used to empty the cryptocurrency wallets of thousands of users. It was discovered last December by the security company Intezer Labs.
Security researchers by the name of ElectroRAT argue that the cross-platform RAT malware was written in Golang and was used as part of a campaign targeting thousands of cryptocurrency users to drain money from wallets. Windows, Linux and macOS users.
The campaign was spotted last December 2020, but the company highlights that it was a year-long malware operation in which cyber hackers created fake cryptocurrency applications to trick users into installing a new type of malware on their systems , for which they estimate the malware started spreading in early January last year 2020.
The cyber attackers behind the ElectroRAT operation created their RAT and pasted it into custom Electron applications that look and feel as cryptocurrency trading management tools (Jamm and eTrade) and a cryptocurrency poker application (DaoPoker) should behave under Windows, Mac and Linux versions.
Thousands of infected users
Once logged into the victim’s computer, these security experts at Intezer Labs explain, these applications would first display a user interface to divert victims’ attention from the malicious process and background of ElectroRAT.
They also believe the malware was used to extract keys from cryptocurrency wallets and then drain victims’ accounts.
The new ElectroRAT malware is extremely invasive and offers a wide variety of functions shared by Windows, Linux, and macOS flavors, including keylogging, taking screenshots, uploading files from disk, downloading files, and executing commands the victim’s console, ”the researchers said.
“It is very rare that a RAT is written from scratch and used to steal personal information from cryptocurrency users.” (…) “Even more rarely do you see such a broad and targeted campaign that includes various components such as fake apps and websites includes. and marketing / promotional activities through relevant forums and social networks, ”concludes Intezer Labs.
In order to disseminate the applications and attract potential victims, the threat actors promoted the Trojanized applications on social networks, through advertising on various social networks and in online forums on cryptocurrencies and blockchains such as Bitcointalk and SteemCoinPan, as stated by the security company.
Such applications were downloaded by thousands of users between January and December 2020. Due to a feature in the malware’s design, the address was restored to the command and control server URL of Pastebin, which Intezer Labs said infected 6,500 users during the year.
The signature also emphasized that “The Trojanized application and ElectroRAT binaries are rarely, or, to the contrary, not fully recognized in VirusTotal at the time of this writing. “, he claimed.
Especially, Intezer Labs offers this Yara rule which can be used to detect any ElectroRAT memory artifact. He also mentions the fact that this malware was written in Go, a programming language that has gradually grown in popularity with malware writers over the past year, as it allows operators to easily collect binaries for different platforms, which is easier than other languages and enables them to create cross-platform malware in an easier and faster way.