We’ve now reached 2021 and as the crypto market continues to gather steam, crypto-based scammers are following suit. One scam in particular, titled ElectroRAT, bears mentioning due to the sheer number of cryptocurrency users that it has affected and the fact that it’s still going on. Once you understand how ElectroRAT works, it’s fairly easy to grasp how to protect yourself against it and other scams like it.
What is ElectroRAT?: A Suite of “Trojanized” Applications
According to the cybersecurity team at Intezer Labs who initially uncovered ElectroRAT, it’s less of a single exploit and more of a scam-focused “campaign.” In other words, with several websites, professional-looking social media accounts, malware-infected or “trojanized” applications, and a remote-access trojan or “RAT,” it’s truly a sophisticated operation compared to most other crypto scams.
How does ElectroRAT work?
The RAT is the crux of ElectroRAT’s operations, hence the name.
In case you’re not already aware, a RAT is a program that installs itself on your computer and takes it over, giving itself the same control that an admin or simply you, the owner, would have. Typically, it’s able to do so because it exists as malware attached to a photo, link, or application that you’ve been convinced to download through some form of social engineering. If you remember our past security-focused posts, then you’ll recall that social engineering refers to convincing people to give up personal information that will allow them to be hacked, under the guise of a trusted customer service professional or someone similar. Generally, it’s synonymous with “phishing” in this respect.
According to professionals from Intezer, the ElectroRAT operation depends on convincing cryptocurrency users to download applications that look legitimate but contain the scam’s RAT. Once it’s downloaded, the remote-access trojan begins to infect the user’s computer and siphon up all information that it can, through “screenshots, key logging, uploading files from your desktop to its servers and more.”
What kind of damage has the ElectroRAT scam done thus far?
All in all, they’ve been able to conduct their scam successfully again and again, affecting “thousands of cryptocurrency users,” which Intezer has determined based on the amount of visitors to the Pastebin pages involved in the hack itself. Suffice it to say for now, in this respect, that a Pastebin page is like an anonymous, online version of the popular word processing app, TextEdit. Hackers tend to use such pages to post both the code needed to access malware like RATs as well as information that they steal during their exploits.
On top of affecting thousands of users and counting, ElectroRAT has also been targeting the Windows, Mac, and Linux operating systems, all at once. This is particularly striking since the wide majority of malware is usually Windows-focused and likely indicates that crypto-focused hackers are becoming more willing to spend considerable time and effort while developing their tools so that they can affect as many unsuspecting crypto users as possible. When asked by CoinDesk about ElectroRAT, Jameson Lopp, the CTO at the crypto-custody firm, Casa, seemed to echo this sentiment.
“It’s unsurprising to see novel malware being published, especially during a bull market in which the value of cryptocurrency is shooting up and making such attacks more profitable.”
Why has ElectroRAT been so successful?
First and foremost, the code for its central malware or RAT was written from scratch, which has allowed it to avoid the watchful eyes of the bulk of antivirus systems in use.
Next, as stated above, unlike most malware, it’s been structured to target all of the major operating systems at once in order to maximize the number of victims affected.
Finally, the team behind it has spent considerable to time and effort in developing believable websites, social media accounts, and general marketing buzz around its’ fake crypto applications. Below, you can see an example of one of the websites in question.
When faced with the landing page above, as soon as you click the download button for the fake company’s application, you begin infecting your computer with ElectroRAT’s remote access trojan. Though the hackers have created several different websites to accomplish the same aim, the malware reportedly always originates from the same point.
If you’re wondering why such a simple scheme has been so successful, it all comes down to marketing. Just like any other crypto project, ElectroRAT’s hackers have established a presence on Twitter, bitcointalk and other channels like SteemCoinPan. Below, you can see an example of their efforts.
When faced with the information above, one way to tell if such claims are true or false is to dig into the aforementioned partnerships. Simply running a Google Search with terms like “Kintum partners with Binance,” or something like it will show that while the hackers claim such an alliance exist, nothing has been published about it on the exchange’s side. Keeping this in mind, you’ll find it easy to conclude that Kintum’s claims are false and you shouldn’t look into their offering any further.
What do I do if I suspect my computer has been infected by ElectroRAT?
If you believe it’s possible that you have been affected by ElectroRAT, begin by running a full scan of your computer to determine if any malware’s currently on it. For the scan to come up positive related to ElectroRAT, the antivirus that you’re using will have to have already added it as a known threat in its databases. If this isn’t the case, then the next best option would likely be to install an antivirus that has already done so. If you’ve run a full scan and it has come up positive for ElectroRAT, then instruct your antivirus to “kill all of the processes” related to the malware. Usually, this is simple as one to two clicks and a bit of waiting.
With all of this, it’s also important to note that according to Intezer’s team, if you’re more of a technically-minded individual, then you can also conduct such a scan without dedicated cybersecurity software, through downloading the YARA application here and running it from your command-line or in the case of Mac users, your Terminal, and using this code set or “rule,” when doing so.
Either way, once you’ve completed a full-scan and your computer has been cleaned of any and all malware, make sure to move all of your cryptocurrency funds to new wallets as soon as possible. Finally, change all of your passwords, both to your device itself and every service attached to it, including your wallets, just to be safe.
Our Commitment to Security: Educating the Masses
With ElectroRAT continuing to spread at this point in-time, it’s never been more important to follow the tips we’ve mentioned above and question all claims related to new cryptocurrency projects. Overall, if you keep a careful, critical eye while moving through the crypto space, especially during bull markets, then you’ll find yourself in good stead. In the end, whatever your concerns are related to your crypto security, stick with us and you’ll always be on the forefront of crypto-security best practices. This includes access to a consistently evolving library of content on the subject of securing yourself against scams, as well as just about any other industry topic you can think of. On top of this, we’re always open to your ideas. If you think a topic should be covered and it isn’t, reach out to us any time here, on Twitter, or at email@example.com.