Security researchers at Intezer Labs said they had discovered a remote access trojan (RAT). Cybercriminals fabricated fake crypto apps to trick users into installing a new strain of malware on their systems, with the apparent goal of stealing victims’ funds. The apps target wallets of thousands of Windows, Linux, and macOS users, and were built on top of Electron, an app-building framework.
The campaign was uncovered in December 2020, but researchers suspect the group began spreading their malware as early as January 8, 2020. The cross-platform RAT malware is written from ground-up in Golang. The malware was named ElectroRAT after its discovery.
The Malicious Apps
The researchers noted that ElectroRAT is the latest attacker case using Golang to develop multi-platform malware and evade most antivirus engines. They added that seeing various information stealers trying to collect private keys to access victims’ wallets has become popular. However, it is unusual to see tools written from scratch and targeting multiple operating systems for these purposes.
Intezer Labs believe the hackers depended on three cryptocurrency-related apps for their gameplan.
The fake apps were named Jamm, eTrade/Kintum, and DaoPoker, and were hosted on dedicated websites at jamm[.]to, kintum[.]io, and daopker[.]com, respectively. The cybercriminal created and injected their RAT into custom Electron applications to behave like crypto trade management tools.
The first two apps claimed to provide a simple platform to trade cryptocurrency, while the third was a cryptocurrency poker app. Immediately after launching on a victim’s computer, the apps would show a foreground user interface designed to distract the victims’ from the malicious ElectroRAT background process.
According to an Intezer report, the malicious apps are hosted on websites that were explicitly built for this campaign. The threat actors had also gone an extra mile to promote them on social media apps (Twitter and Telegram) and dedicated online forums (bitcointalk and SteemCoinPan) to lure unsuspecting users into acquiring the tainted apps.
The Victims of The ElectroRAT Malware
Thousands of victims have uploaded the fake apps between January and December 2020, with one of the Pastebin pages used by the malware to retrieve command-and-control (C2) server addresses having been accessed almost 6,500 times.
Intezer observed that the malicious apps and the ElectroRAT binaries are probably low detectable or completely undetectable in VirusTotal at the time of this writing.
After getting infected and having their wallets drained by the malware, some victims have tried to warn others of the dangerous apps.
Users who have fallen victim to this campaign need to kill the process, delete all malware files, transfer their funds to a new wallet, and make new passwords.