ElectroRAT Cross-platform Malware Depletes Cryptocurrency Wallets

Security researchers have found a new Remote Access Trojan (RAT) that is used to clear the cryptocurrency wallets of thousands of Windows, Linux, and macOS users.

Named ElectroRAT after being found in December, the cross-platform RAT malware is written in Golang and has been used as part of a campaign targeting cryptocurrency users since early 2020.

Thousands of people infected in a year

The attackers behind the ElectroRAT operation created and injected their RAT into custom Electron applications created to look and function as cryptocurrency trading management tools (Jamm and eTrade) and as a cryptocurrency poker application (DaoPoker).

After being launched on the victim’s computer, these applications would display a foreground user interface designed to distract victims from the malicious background process of the electorate.

To attract potential victims, threat actors raised the Trojan applications on social media (Twitter and Telegram) and in dedicated online forums (BitcoinTalk and SteemCoinPan) according to an Intezer Report. shared with BleepingComputer earlier this week.

Malicious applications were downloaded by thousands of victims between January and December 2020, and the malware used one of the Pastebin pages to retrieve command and control (C2) server addresses that were accessed nearly 6,500 times during the year.

“The ElectroRAT Trojan application and binaries are not detected or completely undetected by VirusTotal at the time of writing,” says Intezer.

After getting infected and emptying their wallets by malware operators, some of the victims also warned others about malicious apps.

Find the best Total Security to protect against ElectroRAT

Switch between standard and custom malware

The Pastebin C2 pages published by the same user who uploaded the ElectroRAT C2 information show that the attackers also used the Amadey and KPOT Trojans to steal information.

Both crooks only target the Windows platform and Trojans are known to make efforts to go unnoticed after infection nearly impossible.

The new Golang-based, undetected malware ElectorRAT was likely a much more effective tool for a stealth operation, especially since it has similar functionality and allows targeting of multiple platforms.

ElectroRAT is an especially invasive malware with a wide variety of features shared by its Windows, Linux, and macOS variants, including “keylogging, screenshot, uploading files from disk, downloading files, and performing commands on the victim’s console “.

“It is very rare to see a RAT written from scratch and managed to steal personal information from cryptocurrency users,” Intezer concludes.

“It is even rarer to see such a large and targeted campaign that includes various components such as fake websites and apps and marketing/promotion initiatives via relevant forums and social media.”

If you have downloaded and started the Jamm, eTrade, or DaoPoker Trojan applications on your computer, you should immediately stop their processes and completely remove all related files from the system.

If your cryptocurrencies have not yet been emptied, you should also immediately move all your funds to a new wallet and change all passwords as soon as possible.

In December, Intezer also discovered another Golang-based malware with self-propagating capabilities that were used to deploy XMRig cryptocurrency miners on Windows and Linux servers.