ElectroRAT malware targets Crypto users via fake Apps
Hackers have been running this malware operation since the beginning of 2020, with the end goal of stealing victims’ funds
We are still reeling from the massive hack that was discovered last month in which the Russian hackers managed to hack into multiple U.S government agencies in what could perhaps be the largest hack of government systems ever. The scary part was that the hack went unnoticed for months. Cybersecurity has emerged as one of the major pain points for the tech ecosystem and the problem seems to be getting bigger by the day.
Cybersecurity firm Intezer Labs is now pointing to another year-long operation by hackers, which tricks crypto users into installing fake Apps infested with malware. The eventual goal is to steal their crypto funds. As reported by ZDNet, the campaign was discovered in Dec. 2020, but researchers said they believe the group began spreading their malware as early as January 8, 2020.
The crypto-related apps employed for this operation are namely Jamm, eTrade/Kintum, and DaoPoker — hosted on websites at jamm.to, kintum.io, and daopker.com, respectively. The first two are disguised as crypto trading apps whereas the third one is portrayed as a cryptocurrency poker app. Built on the app-building framework Electron, all three of them are available in Windows, Mac, and Linux versions.
“ElectroRAT is extremely intrusive, It has various capabilities such as keylogging, taking screenshots, uploading files from disk, downloading files, and executing commands on the victim’s console.” ~ INTEZER Report
That’s not where the story ends though. According to the Intezer researchers, the biggest surprise comes in the form of a new malware strain hidden within these apps — dubbed as ElectroRAT by the researchers. The purpose of the malware is believed to steal the digital wallet keys of victims which leads to their crypto funds.
The hackers cleverly disguised the whole operation by operating ads on niche cryptocurrency forums & also promoting their websites and the apps on various social media channels. Researchers believe that the malware retrieved the address of its command and control server from a Pastebin URL, and the operation might have infected around 6,500 users — based on the number of times the Pastebin URLs accessed so far.
Security Report suggests that crypto users who have lost funds to an unknown source in the previous year should check to see if they have installed any of the above-mentioned apps during this time period. A deeper analysis of the malware revealed that it was written in Go programming language — a popular choice among malware authors recently.
The popularity of Go malware is based on its spotty detection & analysis — owing to its much more complicated code than the ones written in C, C++, or C#. It also makes it much easier to develop multi-platform malware. You can never be too sure about doing your due diligence, go with the trusted and well-known platforms. New & shiny things are not always the best ones.