Security researchers from Intezer discovered a wide-ranging marketing campaign targeting cryptocurrency holders to pilfer their private keys and compromise their crypto wallets. Threat actors used maliciously crafted cryptocurrency-related apps, domain registrations, Trojanized applications, fake social media accounts, and a new Remote Access Tool (RAT) dubbed ElectroRAT. While the researchers discovered the ElectroRAT operation in December 2020, it is suspected that the operation may have been initiated in January 2020.
ElectroRAT is a new kind of malware with cross-platform functionality written in Golang (an open-source programming language) and designed to target multiple operating systems, including macOS, Linux, and Windows. “It is rather common to see various information stealers trying to collect private keys to access victims’ wallets. However, it is rare to see tools written from scratch and used to target multiple operating systems for these purposes,” Intezer’s researchers said.
How ElectroRAT Works?
ElectroRAT operators have created three different Trojanized applications, Jamm, eTrade, and DaoPoke, and hosted them on websites built especially for this campaign. The malicious applications were advertised in cryptocurrency and blockchain-related platforms like Bitcointalk and SteemCoinPan. The ElectroRAT threat actor group tricked cryptocurrency traders to download their malicious apps by promoting them in fake online forums and social media platforms. It is estimated that ElectroRAT has infected thousands of victims so far.
“The promotional posts, published by fake users, tempted readers to browse the applications’ web pages, where they could download the application without knowing they were actually installing malware,” Intezer’s researchers added.
ElectroRAT Defense Mechanism
Intezer recommended certain preventive measures for users who suspect they are the victim of ElectroRAT malware operation. These include:
- Kill the process and delete all files related to the malware.
- Make sure your machine is clean and running 100% trusted code.
- Move your funds to a new wallet.
- Change all your passwords.