At least 6,500 cryptocurrency users have been infected by new, ‘extremely intrusive’ malware that is spread via trojanised macOS, Windows & Linux apps.
A new remote access tool (RAT) has been found being used in an extensive campaign. The attack has targeted cryptocurrency users in an attempt to collect their private keys & ultimately to drain their wallets.
The newly-seen RAT at the centre of the campaign, which researchers dub Electro RAT, is written in the Go programming language, & is compiled to target a number of different operating systems, including Windows, Linux & MacOS.
Began 1 Year Ago
The campaign was 1st discovered in Dec. 2020 – but researchers believe it initially began 1 year ago, & estimate that at least 6,500 victims have been infected, based on the number of unique visitors to the Pastebin pages used to locate command & control (C2) servers.
“Electro RAT is extremely intrusive,” explains Intezer researchers in a Tues.morning analysis. “It has various capabilities such as keylogging, taking screenshots, uploading files from disk, downloading files & executing commands on the victim’s console. The malware has similar capabilities for its Windows, Linux & MacOS variants.”
The attacker behind the campaign 1st lured cryptocurrency users to download trojanised applications. These applications, which were promoted on cryptocurrency & blockchain-related forums such as bitcointalk & SteemCoinPan, relate directly to cryptocurrency. E.g., they purport to be “Jamm” & “eTrade,” which are cryptocurrency trade management applications, & “DaoPoker,” a cryptocurrency poker app.
“The trojanised applications are applications developed by the attacker & hosted on websites which were also developed by the attacker,” Avigayil Mechtinger, security researcher at Intezer, outlined. Though these applications do function, she outlined,
“Electro RAT is embedded inside of these applications, so upon execution a victim will see the application’s GUI, however Electro RAT will run hidden in the background.”
Twitter & Telegram
The attacker also created Twitter & Telegram profiles for the “DaoPoker” application on social media & paid an unnamed social media influencer (with over 25K followers on Twitter) to advertise the trojanised apps.
These apps were built using app-building platform Electron, with Electro RAT embedded inside the app. When a victim opens & runs the application, Electro Rat is running secretly in the background as “mdworker”.
Private Crypto Keys
The RAT then targets victims’ private crypto keys. A private key lets a user access their cryptocurrency wallet; access to this gives attackers the ability to take control of victim wallets, explained researchers.
“We have evidence that it was used to steal crypto wallets, however it has the capability to gather any information from the victim’s machine,” commented Mechtinger. She explained researchers do not have information about how much money was stolen.
Researchers also found that Electro RAT contacts raw Pastebin pages to retrieve the C2 IP address. Upon viewing the Pastebin pages, researchers noted the 1st pages were posted on Jan. 8, 2020 – indicating the operation has been active for at least a year.
Potential scam victims should delete all files related to the malware, move their funds to a new wallet & change all of their passwords, stated researchers.
Golang: Cyber-Crime Favourite
Researchers noted that Electro RAT is the latest example of attackers utilising the Go programming language to develop multi-platform malware. Previously discovered Golang malware variants include the Blackrota backdoor & a “Golang” cryptomining worm.
“It is very uncommon to see a RAT written from scratch & used to steal personal information of cryptocurrency users,” concluded researchers. “It is even more rare to see such a wide-ranging & targeted campaign that includes various components such as fake apps & websites, & marketing/promotional efforts via relevant forums & social media.”