New ElectroRAT Malware Targets Cryptocurrency
In the past year, cybersecurity researchers have been noticing an increase in malware targeting crypto wallets. The new ElectroRAT malware, for example, is a remote access trojan (RAT) embedded in apps built on the Electron app-building framework that is able to steal victims’ funds.
The ElectroRAT campaign first emerged in December and Intezer Labs discovered that it has drained thousands of victims’ cryptocurrency wallets. According to the research, the hackers behind the campaign created three tainted applications – two trade management tools and a poker app – that are distributed via websites set up specifically for the operation. Once installed, these fake applications would display a foreground user interface designed to divert the victim’s attention from the ElectroRAT malicious background process.
These apps were promoted in niche cryptocurrency forums and social media accounts to entice users into downloading them. Upon launching the tainted applications, an innocent graphical user interface (GUI) opens while ElectroRAT hides in the background as “mdworker”.
This malware has been running for over a year now and has claimed almost 6,500 victims. The attackers used a range of techniques to target victims, including posting ads for the apps on niche cryptocurrency forums and using paid social media influencers to advertise them.
The attack actors also used domain registrations, websites, trojanized applications and fake social media accounts to target victims and their digital wallets. This is a very sophisticated approach to executing a hacking campaign, and it is rare for an attacker to create original tools like ElectroRAT that can be used on multiple platforms, Intezer noted.
Another interesting aspect of the ElectroRAT campaign is that it was developed from scratch in Golang – an open-source language for multiplatform functionality. This enables it to run undetected on Windows, Linux and macOS systems for a long time.
Other threat actors have been using RATs to target cryptocurrency over the past few years, but ElectroRAT is the first to have targeted users across operating systems. The malware is able to capture keystrokes, take screenshots, download files from disk, upload files from disk and execute commands sent from a command-and-control (C2) server.
ElectroRAT contacts raw pastebin pages to retrieve C2 server addresses and has already infected thousands of machines since its release in December. One of the pastebin pages used by the malware to retrieve these C2 servers – posted by an anonymous user in January 2020 – has been accessed just short of 6,500 times.
The analysis of the Pastebin page and its contents reveals that the attackers were using off-the-shelf trojans such as Amadey and KPOT in addition to their Golang-based malware, which has allowed them to stay under the radar for over a year by evading antivirus detections. It is also worth noting that both Amadey and KPOT are well-known trojans, which makes efforts to remain undetected after infection a lot more difficult.