Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Do you smell an Electro RAT? Drains Cryptocurrency Wallet Funds of 1,000s!

Do you smell an Electro RAT? Drains Cryptocurrency Wallet Funds of 1,000s!

At least 6,500 cryptocurrency users have been infected by new, ‘extremely intrusive’ malware that is spread via trojanised macOS, Windows & Linux apps.

A new remote access tool (RAT) has been found being used in an extensive campaign. The attack has targeted cryptocurrency users in an attempt to collect their private keys & ultimately to drain their wallets.

The newly-seen RAT at the centre of the campaign, which researchers dub Electro RAT, is written in the Go programming language, & is compiled to target a number of different operating systems, including Windows, Linux & MacOS.

Began 1 Year Ago

The campaign was 1st discovered in Dec. 2020 – but researchers believe it initially began 1 year ago, & estimate that at least 6,500 victims have been infected, based on the number of unique visitors to the Pastebin pages used to locate command & control (C2) servers.

“Electro RAT is extremely intrusive,” explains Intezer researchers in a Tues.morning analysis. “It has various capabilities such as keylogging, taking screenshots, uploading files from disk, downloading files & executing commands on the victim’s console. The malware has similar capabilities for its Windows, Linux & MacOS variants.”

The Attack

The attacker behind the campaign 1st lured cryptocurrency users to download trojanised applications. These applications, which were promoted on cryptocurrency & blockchain-related forums such as bitcointalk​ & ​SteemCoinPan​, relate directly to cryptocurrency. E.g., they purport to be “​Jamm​” & “​eTrade,” which are cryptocurrency trade management applications, & “​DaoPoker,​” a cryptocurrency poker app.

“The trojanised applications are applications developed by the attacker & hosted on websites which were also developed by the attacker,” Avigayil Mechtinger, security researcher at Intezer, outlined. Though these applications do function, she outlined,

“Electro RAT is embedded inside of these applications, so upon execution a victim will see the application’s GUI, however Electro RAT will run hidden in the background.”

Twitter & Telegram

The attacker also created Twitter & Telegram profiles for the “​DaoPoker​” application on social media & paid an unnamed social media influencer (with over 25K followers on Twitter) to advertise the trojanised apps.

These apps were built using app-building platform Electron, with Electro RAT embedded inside the app. When a victim opens & runs the application, Electro Rat is running secretly in the background as “mdworker”.

Private Crypto Keys

The RAT then targets victims’ private crypto keys. A private key lets a user access their cryptocurrency wallet; access to this gives attackers the ability to take control of victim wallets, explained researchers.

“We have evidence that it was used to steal crypto wallets, however it has the capability to gather any information from the victim’s machine,” commented Mechtinger. She explained researchers do not have information about how much money was stolen.

Pastebin Pages

Researchers also found that Electro RAT contacts raw Pastebin pages to retrieve the C2 IP address. Upon viewing the Pastebin pages, researchers noted the 1st pages were posted on Jan. 8, 2020 – indicating the operation has been active for at least a year.

Potential scam victims should delete all files related to the malware, move their funds to a new wallet & change all of their passwords, stated researchers.

Golang: Cyber-Crime Favourite

Researchers noted that Electro RAT is the latest example of attackers utilising the Go programming language to develop multi-platform malware. Previously discovered Golang malware variants include the Blackrota backdoor & a “Golang” cryptomining worm.

“It is very uncommon to see a RAT written from scratch & used to steal personal information of cryptocurrency users,” concluded researchers. “It is even more rare to see such a wide-ranging & targeted campaign that includes various components such as fake apps & websites, & marketing/promotional efforts via relevant forums & social media.”

https://www.cybernewsgroup.co.uk/virtual-conference-january-2021/

 

SHARE ARTICLE