ElectroRAT malware used in extensive operation to extract funds from cryptocurrency wallets
Cybercriminals employed three fake cryptocurrency-related apps to trick users into downloading the malware on their systems
Researchers at cybersecurity firm Intezer Labs claim to have uncovered a new remote access Trojan (RAT) strain that is being used by cybercrooks to steal money from victims' cryptocurrency wallets.
Dubbed ElectroRAT, the malware is written in the Go programming language, and can target different operating systems, including Windows, Linux and MacOS.
According to the researchers, the group behind the operation created three fake cryptocurrency-related apps and embedded ElectroRAT malware within them. The apps - Jamm, DaoPoker, and eTrade/Kintum - were hosted on dedicated websites, and were also promoted on different blockchain and cryptocurrency-related forums.
Jamm and Kintum claimed to provide users with a simple platform to buy or sell cryptocurrency, while DaoPoker was advertised as a cryptocurrency poker game.
"The promotional posts, published by fake users, tempted readers to browse the applications' web pages, where they could download the application without knowing they were actually installing malware," the researchers noted.
The operators also created dedicated accounts on Twitter and Telegram to advertise their apps and even paid a social media influencer to promote their trojanised wares.
After a victim downloads and opens any one of the three fake applications, ElectroRAT starts running silently in the background. ElectroRAT malware is "extremely intrusive," the researchers say, and can perform a variety of functions, including uploading and downloading files, capturing screenshots, keylogging, and running commands on the victim's console.
The Intezer team believes that the malware enables operators to collect victim's cryptocurrency wallet keys and ultimately steal money from their accounts.
A detailed analysis of the malware revealed that it contacts raw Pastebin pages to retrieve the Command and Control (C2) IP address. Based on the number of unique visitors arriving at the Pastebin pages, the team concluded that the malware has already infected at least 6,500 victims.
The researchers also noticed that the first pages were posted on 8 January 2020, suggesting that the cybercampaign has been ongoing for at least a year.
"The trojanised application and the ElectroRAT binaries are either low-detected or completely undetected in VirusTotal at the time of this writing," the team warns.
Users who suspect that they have become a victim of the scam are advised to move their funds to a new wallet and to also change all of their passwords.
Users who have downloaded the Jamm, eTrade, or DaoPoker apps in the past should immediately kill their processes and remove all related files from their system.