IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

ElectroRAT exploits Bitcoin boom to steal cryptocurrency

The year-long campaign comprises a custom-written remote access tool and fully-fledged marketing operation

Cyber criminals have been running a sophisticated operation to steal cryptocurrency from unsuspecting victims by luring them to fake exchange platforms and using a remote access tool (RAT) built from scratch to access their wallets.

The campaign, which has been running for a year, comprises domain registrations, websites, malicious applications, fake social media accounts and a previously undetected remote access tool (RAT) dubbed ElectroRAT, according to Intezer Labs researchers.

The hackers behind the operation have been enticing cryptocurrency users to join three apps named Jamm, eTrade and DaoPoker, loaded with ElectroRAT, by promoting them on popular forums such as bitcointalk. Fake users have been submitting promotional posts, while the apps were also given an online presence through the creation of fake Twitter and Telegram accounts.

Once any of these apps are installed on a victim’s machine, ElectroRAT is used to collect private keys to access victims’ wallets and steal cryptocurrency, such as Bitcoin, which has recently enjoyed a significant boom.

This tool is written in Golang and compiled to target popular operating systems including Windows, Linux and macOS, the security firm revealed having learned of the operation's existence in December. 

“It is very uncommon to see a RAT written from scratch and used to steal personal information from cryptocurrency users,” said security researcher with Intezer Labs, Avigayil Mechtinger. 

“It is even more rare to see such a wide-ranging and targeted campaign that includes various components such as fake apps/websites and marketing/promotional efforts via relevant forums and social media.”

Once the applications are running, a graphical user interface (GUI) opens and ElectroRAT begins working in the background as “mdworker”. This is difficult to detect by antivirus software due to the way the binaries are written. 

The malware is extremely intrusive, however, and has various capabilities including keylogging, taking screenshots, uploading files from disk, downloading files and executing commands. These functions are roughly the same across all three Windows, Linux and macOS variants.

Machtinger added that the campaign reflects the growing prominence of the cryptocurrency market - led by the recent Bitcoin charge. The conventionally volatile cryptocurrency has been surging in recent months, with its value exploding lately to cross the $35,000 (roughly £25,000) threshold at the time of writing. As such, it’s attracted cyber criminals hoping to exploit this for financial gain.

The ElectroRAT campaign has already affected more than 6,500 users, based on the numbers of visitors to the pastebin pages used to locate the command and control servers. 

Intezer Labs has recommended that victims take measures to protect themselves immediately. This mitigation process includes killing the process, deleting all files relating to the malware, moving funds to a new wallet and changing all passwords.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021

Most Popular

Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022