The latest multi-platform malware with 6,500 cryptocurrency users infected

The new remote access tool (RAT) has been used in extensive campaigns. The attacks have targeted cryptocurrency users in an attempt to collect their private keys and ultimately drain their wallets. At least 6,500 cryptocurrency users have been infected with new malware that spreads via trojan, macOS, Windows and Linux applications.

The never-before-seen RAT amidst the campaign, which the researchers dubbed ElectroRAT, was written in the Go programming language and structured to target a number of different operating systems, including Windows, Linux, and MacOS.

The campaign was discovered in December 2020 — but researchers believe it originally started a year ago, and estimate that at least 6,500 victims have been infected, based on the number of unique visitors to the Pastebin page used to find commands and controls (C2). server. .
“ElectroRAT is very disturbing,” the Intezer investigator said in his analysis on Tuesday morning. “It has various capabilities such as keylogging, taking screenshots, uploading files from disk, downloading files, and executing commands on the victim’s console. This malware has similar capabilities for its variants of Windows, Linux, and MacOS. “

The attacker behind the campaign first lured cryptocurrency users to download a trojan app. This app, which is promoted on cryptocurrencies and blockchain-related forums such as bitcointalk and SteemCoinPan, deals directly with cryptocurrencies. For example, they claim to be “Jamm” and “eTrade”, which is a cryptocurrency trading management application, and “DaoPoker”, a cryptocurrency poker application.
“A trojanized application is an application developed by the attacker and hosted on a website that is also developed by the attacker,” Avigayil Mechtinger, a security researcher at Intezer, told Threatpost. Even though the application works, he said, “ElectroRAT is embedded in this application, so once run, the victim will see the GUI of the application, but ElectroRAT will run hidden in the background.”

The attacker also “went the extra mile” to create Twitter and Telegram personas for the “DaoPoker” application on social media, and even paid an unnamed social media influencer (with more than 25 thousand followers on Twitter) to advertise the trojan app.

This application was created using the Electron application builder platform, with ElectroRAT embedded in the application. After the victim opens and runs the application, ElectroRat runs silently in the background as “mdworker”.
Then, RAT targets the victim’s private crypto key. The private key allows the user to access his cryptocurrency wallet; access to this would give attackers the ability to hold onto the victim’s wallet, investigators said.

“We have evidence that it was used to steal crypto wallets, but it has the ability to gather any information from the victim’s machine,” Mechtinger said. He told Threatpost researchers had no information about how much money was stolen.

Upon closer examination, the researchers found that ElectroRAT contacted the Raw Pastebin page to retrieve C2’s IP address. Looking at Pastebin’s page, researchers noted the first page was posted on January 8, 2020 — indicating the operation had been active for at least a year.

Potential victims of the scam should make sure to delete all files associated with the malware, move their funds to new wallets and change all their passwords, the researchers said.

The researchers note that ElectroRAT is the latest example of an attacker using the Go programming language to develop multi-platform malware. Previously discovered Golang malware variants include the Blackrota backdoor and the “Golang” cryptomining worm.

“It’s rare to see a RAT written from scratch and used to steal cryptocurrency users’ personal information,” said the researcher. “It’s rare to see a campaign that is so broad and targeted that it includes various components such as fake apps and websites, as well as marketing / promotion efforts via relevant forums and social media.”