ElectroRAT exploits Bitcoin boom to steal cryptocurrency

The year-long campaign comprises a custom-written remote access tool and fully-fledged marketing operation

Cyber criminals in a dark room using a monitor with the Bitcoin logo shown

Cyber criminals have been running a sophisticated operation to steal cryptocurrency from unsuspecting victims by luring them to fake exchange platforms and using a remote access tool (RAT) built from scratch to access their wallets.

The campaign, which has been running for a year, comprises domain registrations, websites, malicious applications, fake social media accounts and a previously undetected remote access tool (RAT) dubbed ElectroRAT, according to Intezer Labs researchers.

The hackers behind the operation have been enticing cryptocurrency users to join three apps named Jamm, eTrade and DaoPoker, loaded with ElectroRAT, by promoting them on popular forums such as bitcointalk. Fake users have been submitting promotional posts, while the apps were also given an online presence through the creation of fake Twitter and Telegram accounts.

Once any of these apps are installed on a victim’s machine, ElectroRAT is used to collect private keys to access victims’ wallets and steal cryptocurrency, such as Bitcoin, which has recently enjoyed a significant boom.

This tool is written in Golang and compiled to target popular operating systems including Windows, Linux and macOS, the security firm revealed having learned of the operation's existence in December. 

“It is very uncommon to see a RAT written from scratch and used to steal personal information from cryptocurrency users,” said security researcher with Intezer Labs, Avigayil Mechtinger. 

“It is even more rare to see such a wide-ranging and targeted campaign that includes various components such as fake apps/websites and marketing/promotional efforts via relevant forums and social media.”

Once the applications are running, a graphical user interface (GUI) opens and ElectroRAT begins working in the background as “mdworker”. This is difficult to detect by antivirus software due to the way the binaries are written. 

The malware is extremely intrusive, however, and has various capabilities including keylogging, taking screenshots, uploading files from disk, downloading files and executing commands. These functions are roughly the same across all three Windows, Linux and macOS variants.

Machtinger added that the campaign reflects the growing prominence of the cryptocurrency market - led by the recent Bitcoin charge. The conventionally volatile cryptocurrency has been surging in recent months, with its value exploding lately to cross the $35,000 (roughly £25,000) threshold at the time of writing. As such, it’s attracted cyber criminals hoping to exploit this for financial gain.

The ElectroRAT campaign has already affected more than 6,500 users, based on the numbers of visitors to the pastebin pages used to locate the command and control servers. 

Intezer Labs has recommended that victims take measures to protect themselves immediately. This mitigation process includes killing the process, deleting all files relating to the malware, moving funds to a new wallet and changing all passwords.

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Recommended

HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
What is hacktivism?
hacking

What is hacktivism?

22 Apr 2021
FBI shuts down web shells in hacked Exchange servers
cyber security

FBI shuts down web shells in hacked Exchange servers

14 Apr 2021

Most Popular

REvil threatens to release Apple’s hardware schematics
ransomware

REvil threatens to release Apple’s hardware schematics

21 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
Samsung Galaxy S21 Ultra review: Ultra in every sense of the word
Mobile Phones

Samsung Galaxy S21 Ultra review: Ultra in every sense of the word

22 Apr 2021