ElectroRAT, the malware that is emptying cryptocurrency wallets

Source: HW Upgrade added 07th Jan 2021

  • electrorat,-the-malware-that-is-emptying-cryptocurrency-wallets

The bad guys are being targeted by cryptocurrency wallet holders with ElectroRAT months. Intezer researchers discovered fake digital currency management apps accompanied by this malware written in Go language.

of Manolo De Agostini published on , at 08: 01 in the Security channel

Intezer security researchers discovered a new RAT ( remote access trojan ) aiming to empty cryptocurrency wallets of thousands of Windows, Linux and macOS users. ElectroRAT , this is the name of the new threat, was only discovered in the last few weeks, in December, but it was already active since the beginning of 2020.

To develop ElectroRAT was used the Go programming language , which is becoming popular with malware writers in several respects, including more complicated analysis compared to malware written in C, C ++ or C # and the possibility of easily compile binaries for different platforms more easily and attack more users.

The bad guys who developed ElectroRAT have it inserted inside Electron applications (a framework for developing apps) created ad hoc made for seem like real tools for managing cryptocurrency portfolios , but not only. The “fake” apps have been called Jamm, eTrade / Kintum and DaoPoker, hosted on websites dedicated to the addresses jamm.to, kintum.io and daopker.com.

The first two apps were meant to be simple cryptocurrency exchange platforms, while the third was a poker application. The researchers reconstructed that, to spread the apps, the attackers published advertisements on niche forums related to cryptocurrencies (bitcointalk and SteemCoinPan) and took advantage of social networks (Twitter and Telegram).

Malicious apps show user an interface designed to distract attention from the malicious operation of ElectroRAT in the background . The apps were downloaded from thousands of times between January and December 2020, approx. 6500 based on a Pastebin page used by the malware to retrieve the addresses of command and control (C2) servers.

“The trojan app and the ElectroRAT binaries are poorly detected or pass completely unnoticed in VirusTotal at the time of this writing, “said the Intezer researchers. However, the goal of emptying cryptocurrency wallets is not the only one, as ElectroRAT also has functions as a “keylogger, captures screenshots, loads files from disk, downloads files and executes commands on the console of the victim “.

” It is very rare to see a RAT written from scratch and used to steal personal information of cryptocurrency users, “concludes Intezer. “It’s even rarer to see such a large and targeted campaign that includes various components, such as fake apps and websites, and marketing / promotion efforts via relevant forums and social media.”

In case of infection it is necessary to immediately close the processes of the app in question and remove all files from the system . Furthermore, in case the cryptocurrency wallets have not already been emptied, it would be wise to transfer the funds to a new wallet and change all system passwords as soon as possible. Further details can be found in the Intezer blog article.