ElectroRAT Drains Cryptocurrency Wallet Funds of Thousands

At least 6,500 cryptocurrency users have been infected by new, ‘extremely intrusive’ malware that’s spread via trojanized macOS, Windows and Linux apps.

A new remote access tool (RAT) has been discovered being used in an extensive campaign. The attack has targeted cryptocurrency users in an attempt to collect their private keys and ultimately to drain their wallets.

The never-before-seen RAT at the center of the campaign, which researchers dub ElectroRAT, is written in the Go programming language and is compiled to target a number of different operating systems, including Windows, Linux and MacOS.

The campaign was discovered in December 2020 – but researchers believe it initially began a year ago, and estimate that at least 6,500 victims have been infected, based on the number of unique visitors to the Pastebin pages used to locate command and control (C2) servers.

2020 Reader Survey: Share Your Feedback to Help Us Improve

“ElectroRAT is extremely intrusive,” according to Intezer researchers in a Tuesday morning analysis. “It has various capabilities such as keylogging, taking screenshots, uploading files from disk, downloading files and executing commands on the victim’s console. The malware has similar capabilities for its Windows, Linux and MacOS variants.”

The Attack

The attacker behind the campaign first lured cryptocurrency users to download trojanized applications. These applications, which were promoted on cryptocurrency and blockchain-related forums such as bitcointalk​ and ​SteemCoinPan​, relate directly to cryptocurrency. For instance, they purport to be “​Jamm​” and “​eTrade,” which are cryptocurrency trade management applications, and “​DaoPoker,​” a cryptocurrency poker app.

ElectroRAT

One trojanized application used to spread ElectroRAT. Credit: Intezer

“The trojanized applications are applications developed by the attacker and hosted on websites which were also developed by the attacker,” Avigayil Mechtinger, security researcher at Intezer, told Threatpost. Though these applications do function, she said, “ElectroRAT is embedded inside of these applications, so upon execution a victim will see the application’s GUI, however ElectroRAT will run hidden in the background.”

The attacker also “went the extra mile” to create Twitter and Telegram personas for the “​DaoPoker​” application on social media, and even paid an unnamed social media influencer (with more than 25K followers on Twitter) to advertise the trojanized apps.

These apps were built using app-building platform Electron, with ElectroRAT embedded inside the app. Once a victim opens and runs the application, ElectroRat is running secretly in the background as “mdworker”.

electroRAT

The attack process. Credit: Intezer

Then, the RAT targets victims’ private crypto keys. A private key allows a user to access his or her cryptocurrency wallet; access to this would give attackers the ability to take hold of victim wallets, said researchers.

“We have evidence that it was used to steal crypto wallets, however it has the capability to gather any information from the victim’s machine,” said Mechtinger. She told Threatpost, researchers do not have information about how much money was stolen.

Upon closer inspection, researchers found that ElectroRAT contacts raw Pastebin pages to retrieve the C2 IP address. Upon viewing the Pastebin pages, researchers noted the first pages were posted on Jan. 8, 2020 – indicating the operation has been active for at least a year.

Potential scam victims should make sure to delete all files related to the malware, move their funds to a new wallet and change all of their passwords, said researchers.

Golang: An Increasing Cybercrime Favorite

Researchers noted that ElectroRAT is the latest example of attackers utilizing the Go programming language to develop multi-platform malware. Previously discovered Golang malware variants include the Blackrota backdoor and a “Golang” cryptomining worm.

“It is very uncommon to see a RAT written from scratch and used to steal personal information of cryptocurrency users,” said researchers. “It is even more rare to see such a wide-ranging and targeted campaign that includes various components such as fake apps and websites, and marketing/promotional efforts via relevant forums and social media.”

Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World , sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!

Suggested articles