ElectroRAT exploits Bitcoin boom to steal cryptocurrency

The year-long campaign comprises a custom-written remote access tool and fully-fledged marketing operation

Cyber criminals have been running a sophisticated operation to steal cryptocurrency from unsuspecting victims by luring them to fake exchange platforms and using a remote access tool (RAT) built from scratch to access their wallets.

The campaign, which has been running for a year, comprises domain registrations, websites, malicious applications, fake social media accounts and a previously undetected remote access tool (RAT) dubbed ElectroRAT, according to Intezer Labs researchers.

The hackers behind the operation have been enticing cryptocurrency users to join three apps named Jamm, eTrade and DaoPoker, loaded with ElectroRAT, by promoting them on popular forums such as bitcointalk. Fake users have been submitting promotional posts, while the apps were also given an online presence through the creation of fake Twitter and Telegram accounts.

Once any of these apps are installed on a victim’s machine, ElectroRAT is used to collect private keys to access victims’ wallets and steal cryptocurrency, such as Bitcoin, which has recently enjoyed a significant boom.

This tool is written in Golang and compiled to target popular operating systems including Windows, Linux and macOS, the security firm revealed having learned of the operation's existence in December. 

“It is very uncommon to see a RAT written from scratch and used to steal personal information from cryptocurrency users,” said security researcher with Intezer Labs, Avigayil Mechtinger. 

“It is even more rare to see such a wide-ranging and targeted campaign that includes various components such as fake apps/websites and marketing/promotional efforts via relevant forums and social media.”

Once the applications are running, a graphical user interface (GUI) opens and ElectroRAT begins working in the background as “mdworker”. This is difficult to detect by antivirus software due to the way the binaries are written. 

The malware is extremely intrusive, however, and has various capabilities including keylogging, taking screenshots, uploading files from disk, downloading files and executing commands. These functions are roughly the same across all three Windows, Linux and macOS variants.

Machtinger added that the campaign reflects the growing prominence of the cryptocurrency market - led by the recent Bitcoin charge. The conventionally volatile cryptocurrency has been surging in recent months, with its value exploding lately to cross the $35,000 (roughly £25,000) threshold at the time of writing. As such, it’s attracted cyber criminals hoping to exploit this for financial gain.

The ElectroRAT campaign has already affected more than 6,500 users, based on the numbers of visitors to the pastebin pages used to locate the command and control servers. 

Intezer Labs has recommended that victims take measures to protect themselves immediately. This mitigation process includes killing the process, deleting all files relating to the malware, moving funds to a new wallet and changing all passwords.

Featured Resources

Defeating ransomware with unified security from WatchGuard

How SMBs can defend against the onslaught of ransomware attacks

Free download

The IT expert’s guide to AI and content management

How artificial intelligence and machine learning could be critical to your business

Free download

The path to CX excellence

Four stages to thrive in the experience economy

Free download

Becoming an experience-based business

Your blueprint for a strong digital foundation

Free download

Recommended

New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021
Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
Cyber attacks on manufacturing up 300% in a year
Security

Cyber attacks on manufacturing up 300% in a year

11 May 2021

Most Popular

Zoom: From pandemic upstart to hybrid work giant
video conferencing

Zoom: From pandemic upstart to hybrid work giant

14 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Hackers develop Linux port of Cobalt Strike for new attacks
Security

Hackers develop Linux port of Cobalt Strike for new attacks

14 Sep 2021