Security researchers at Intezer Labs had discovered a Remote Access Trojan (RAT). The attacker behind this operation has enticed cryptocurrency users to download trojanized applications by promoting them in dedicated online forums and on social media.
The campaign was revealed in December 2020, but researchers suspect the group began spreading their malware as early as January 8, 2020.
A new undetected RAT malware is written in Golang programming language. The malware was named ElectroRAT, compiled to target multiple operating systems: Windows, Linux and MacOS.
The Operation
The attacker behind the campaign lured cryptocurrency users to download trojanized applications. The attacker has created three different trojanized applications, each with a Windows, Linux and Mac version.
These applications are directly related to cryptocurrency. For instance, the experts purport “Jamm” and “eTrade” are cryptocurrency trade management applications and “DaoPoker” is a cryptocurrency poker app.
The applications were promoted in cryptocurrency and blockchain-related forums such as bitcointalk and SteemCoinPan. The promotional posts, published by fake users, tempted readers to browse the applications’ web pages, where they could download the application without knowing they were installing malware.
The attacker went the extra mile to create Twitter and Telegram personas for the “DaoPoker” application, in addition to paying a social media influencer for advertisement.
DaoPoker’s Twitter page eTrade (Kintum) promoted advertiser on Twitter
Victims of the Operation
ElectroRAT contacts raw pastebin pages to retrieve the C&C IP address. The pastebin pages are published by the same user called “Execmac”. Browsing the user’s page can have more visibility into the number of victims subject to this campaign.
Technical Analysis
Once a victim runs the application, an innocent GUI will open, while ElectroRat runs hidden in the background.
ElectroRAT is extremely intrusive. It has various capabilities such as keylogging, taking screenshots, uploading files from disk, downloading files and executing commands on the victim’s console. The malware has similar capabilities for its Windows, Linux and MacOS variants.
Detection
Linux Machines
Intezer Protect should be used to gain full runtime visibility over the code in Linux-based systems and get alerted on any malicious or unauthorized code.
Windows Machines
Running Intezer’s Endpoint Scanner will provide with visibility into the type and origin of all binary code that resides in a machine’s memory.
Measures to be taken
- Kill the process and delete all files related to the malware.
- Make sure your machine is clean and running 100% trusted code using Intezer’s tools
- Move your funds to a new wallet.
- Change all of your passwords.
Final Word
ElectroRAT is the most recent example of attackers utilizing the Go programming language to develop multi-platform malware.
It is more uncommon to notice such a wide-ranging targeted campaign that includes various components such as fake apps and marketing or promotional efforts through relevant forums and social media.
Users who have fallen victim to this campaign need to kill the process, remove all malware files, transfer their funds to a new wallet, and create new passwords.
You can follow us on Linkedin, Twitter, Facebook for daily Cyber security and hacking news updates.
