Operation ElectroRAT – Attacker Creates Fake Companies to Steal Cryptocurrencies

Security researchers at Intezer Labs had discovered a Remote Access Trojan (RAT). The attacker behind this operation has enticed cryptocurrency users to download trojanized applications by promoting them in dedicated online forums and on social media.

The campaign was revealed in December 2020, but researchers suspect the group began spreading their malware as early as January 8, 2020. 

A new undetected RAT malware is written in Golang programming language. The malware was named ElectroRAT, compiled to target multiple operating systems: Windows, Linux and MacOS.

The Operation

The attacker behind the campaign lured cryptocurrency users to download trojanized applications. The attacker has created three different trojanized applications, each with a Windows, Linux and Mac version.

These applications are directly related to cryptocurrency. For instance, the experts purport “Jamm” and “eTrade” are cryptocurrency trade management applications and “DaoPoker” is a cryptocurrency poker app.

The applications were promoted in cryptocurrency and blockchain-related forums such as bitcointalk and SteemCoinPan. The promotional posts, published by fake users, tempted readers to browse the applications’ web pages, where they could download the application without knowing they were installing malware.

The attacker went the extra mile to create Twitter and Telegram personas for the “DaoPoker” application, in addition to paying a social media influencer for advertisement. 

   DaoPoker’s Twitter page                                               eTrade (Kintum) promoted advertiser on Twitter

Victims of the Operation

ElectroRAT contacts raw pastebin pages to retrieve the C&C IP address. The pastebin pages are published by the same user called “Execmac”. Browsing the user’s page can have more visibility into the number of victims subject to this campaign.

Technical Analysis

Once a victim runs the application, an innocent GUI will open, while ElectroRat runs hidden in the background.

ElectroRAT is extremely intrusive. It has various capabilities such as keylogging, taking screenshots, uploading files from disk, downloading files and executing commands on the victim’s console. The malware has similar capabilities for its Windows, Linux and MacOS variants.


Linux Machines

 Intezer Protect should be used to gain full runtime visibility over the code in Linux-based systems and get alerted on any malicious or unauthorized code. 

Windows Machines

Running Intezer’s Endpoint Scanner will provide with visibility into the type and origin of all binary code that resides in a machine’s memory.

Measures to be taken

  • Kill the process and delete all files related to the malware.
  • Make sure your machine is clean and running 100% trusted code using Intezer’s tools
  • Move your funds to a new wallet.
  • Change all of your passwords.

Final Word

ElectroRAT is the most recent example of attackers utilizing the Go programming language to develop multi-platform malware. 

It is more uncommon to notice such a wide-ranging targeted campaign that includes various components such as fake apps and marketing or promotional efforts through relevant forums and social media.

Users who have fallen victim to this campaign need to kill the process, remove all malware files, transfer their funds to a new wallet, and create new passwords.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.