ElectroRAT Drains Crypto Wallets

Written by

Thousands of cryptocurrency users have fallen victim to a sophisticated threat campaign that uses trojanized apps to drain funds from digital wallets.

The recently discovered campaign is a wide-ranging operation that encompasses fake companies, a marketing campaign, custom-built cryptocurrency applications, and a new Remote Access Tool (RAT) written from scratch to avoid antivirus detection.

Researchers at Intezer who unearthed the operation in December believe it was initiated in January 2020.

“The campaign includes domain registrations, websites, trojanized applications, fake social media accounts and a new undetected RAT that we have named ElectroRAT," wrote researchers. 

ElectroRAT is written in the open-source programming language Golang and is compiled to target Windows, Linux, and Mac operating systems.

"It is rather common to see various information stealers trying to collect private keys to access victims’ wallets," wrote researchers. "However, it is rare to see tools written from scratch and used to target multiple operating systems for these purposes."

The author of the malicious campaign entices cryptocurrency users to download trojanized applications by promoting the apps on social media and in dedicated online forums. 

"We estimate this campaign has already infected thousands of victims based on the number of unique visitors to the pastebin pages used to locate the command and control servers," noted researchers.

Three different trojanized apps—Jamm, eTrade, and DaoPoker—have been created by the attacker, each with a Windows, Linux, and Mac version. The attacker then built websites specifically to host the binaries. 

The apps appear to offer easy-to-use tools that will help users trade and manage their cryptocurrency. 

"These applications were promoted in cryptocurrency and blockchain-related forums such as bitcointalk and SteemCoinPan," wrote researchers. 

"The promotional posts, published by fake users, tempted readers to browse the applications’ web pages, where they could download the application without knowing they were actually installing malware."

To make the DaoPoker app appear legitimate, the attacker created Twitter and Telegram accounts for it and paid a social media influencer with over 25,000 Twitter followers to advertise the app.

Among ElectroRAT's extremely intrusive capabilities are keylogging, taking screenshots, uploading files from disk, downloading files, and executing commands on the victim’s console.

What’s hot on Infosecurity Magazine?