ElectroRAT exploits Bitcoin boom to steal cryptocurrency

The year-long campaign comprises a custom-written remote access tool and fully-fledged marketing operation

Cyber criminals have been running a sophisticated operation to steal cryptocurrency from unsuspecting victims by luring them to fake exchange platforms and using a remote access tool (RAT) built from scratch to access their wallets.

The campaign, which has been running for a year, comprises domain registrations, websites, malicious applications, fake social media accounts and a previously undetected remote access tool (RAT) dubbed ElectroRAT, according to Intezer Labs researchers.

The hackers behind the operation have been enticing cryptocurrency users to join three apps named Jamm, eTrade and DaoPoker, loaded with ElectroRAT, by promoting them on popular forums such as bitcointalk. Fake users have been submitting promotional posts, while the apps were also given an online presence through the creation of fake Twitter and Telegram accounts.

Once any of these apps are installed on a victim’s machine, ElectroRAT is used to collect private keys to access victims’ wallets and steal cryptocurrency, such as Bitcoin, which has recently enjoyed a significant boom.

This tool is written in Golang and compiled to target popular operating systems including Windows, Linux and macOS, the security firm revealed having learned of the operation's existence in December. 

“It is very uncommon to see a RAT written from scratch and used to steal personal information from cryptocurrency users,” said security researcher with Intezer Labs, Avigayil Mechtinger. 

“It is even more rare to see such a wide-ranging and targeted campaign that includes various components such as fake apps/websites and marketing/promotional efforts via relevant forums and social media.”

Once the applications are running, a graphical user interface (GUI) opens and ElectroRAT begins working in the background as “mdworker”. This is difficult to detect by antivirus software due to the way the binaries are written. 

The malware is extremely intrusive, however, and has various capabilities including keylogging, taking screenshots, uploading files from disk, downloading files and executing commands. These functions are roughly the same across all three Windows, Linux and macOS variants.

Machtinger added that the campaign reflects the growing prominence of the cryptocurrency market - led by the recent Bitcoin charge. The conventionally volatile cryptocurrency has been surging in recent months, with its value exploding lately to cross the $35,000 (roughly £25,000) threshold at the time of writing. As such, it’s attracted cyber criminals hoping to exploit this for financial gain.

The ElectroRAT campaign has already affected more than 6,500 users, based on the numbers of visitors to the pastebin pages used to locate the command and control servers. 

Intezer Labs has recommended that victims take measures to protect themselves immediately. This mitigation process includes killing the process, deleting all files relating to the malware, moving funds to a new wallet and changing all passwords.

Featured Resources

How to choose an AI vendor

Five key things to look for in an AI vendor

Download now

The UK 2020 Databerg report

Cloud adoption trends in the UK and recommendations for cloud migration

Download now

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

Download now

The impact of AWS in the UK

How AWS is powering Britain's fastest-growing companies

Download now

Recommended

Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
Cyber attacks on manufacturing up 300% in a year
Security

Cyber attacks on manufacturing up 300% in a year

11 May 2021
HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

16 Jun 2021
Ten-year-old iOS 4 recreated as an iPhone app
iOS

Ten-year-old iOS 4 recreated as an iPhone app

10 Jun 2021
What is HTTP error 400 and how do you fix it?
Network & Internet

What is HTTP error 400 and how do you fix it?

16 Jun 2021