Cyber-security experts have discovered a new malware targeting cryptocurrency users, that has been in existence for over a year now.
The malware known as ElectroRAT designed by Intezer uses trojanized applications to install a previously undetected remote access tool on target systems.
“ElectroRAT is the latest example of attackers using Golang to develop multi-platform malware and evade most antivirus engines. This extensive operation is composed of a full-fledged marketing campaign, custom cryptocurrency-related applications and a new Remote Access Tool (RAT) written from scratch,” the researchers noted.
The attacker behind this operation has lured cryptocurrency users to download trojanized applications by promoting them in dedicated online forums and on social media.
“We estimate this campaign has already infected thousands of victims—based on the number of unique visitors to the pastebin pages used to locate the command and control servers,” they added.
The attacker has created three different trojanized applications, each with a Windows, Linux and Mac version. The binaries are hosted on websites built specifically for this campaign.
These applications are directly related to cryptocurrency. “Jamm” and “eTrade” are cryptocurrency trade management applications and “DaoPoker” is a cryptocurrency poker app.
The attacker went the extra mile to create Twitter and Telegram personas for the “DaoPoker” application.
As part of its behavioral flow, ElectroRAT contacts raw pastebin pages to retrieve the C&C IP address. The pastebin pages are published by the same user called “Execmac”. Browsing the user’s page, we have more visibility into the number of victims subject to this campaign.
Jamm, DaoPoker and eTrade were built using Electron, an app building platform. ElectroRAT is embedded inside each application. Once a victim runs the application, an innocent GUI will open, while ElectroRat runs hidden in the background as “mdworker”.
“ElectroRAT is extremely intrusive. It has various capabilities such as keylogging, taking screenshots, uploading files from disk, downloading files and executing commands on the victim’s console. The malware has similar capabilities for its Windows, Linux and MacOS variants,” added the researchers.
This article was adapted from Intezer.