ElectroRAT malware zaps thousands of systems to empty cryptocurrency wallets

Security researchers have discovered a new ElectroRAT malware that empties cryptocurrency wallets on thousands of macOS, Linux and Windows systems.

Intezer discovered the “wide-ranging” ElectroRAT operation in December and estimated the cybercriminal campaign likely started in January, 2020.

The cybercriminal campaign leverages ElectroRAT, a Remote Access Tool (RAT), along with Domain registrations, various websites, trojanized applications and fake social media accounts to target cryptocurrency users.

“The attacker behind this operation has lured cryptocurrency users to download trojanized applications by promoting them in dedicated online forums and on social media. We estimate this campaign has already infected thousands of victims—based on the number of unique visitors to the pastebin pages used to locate the command and control servers,” Intezer explained in the blog post.

ElectoRAT malware

According to Intezer, ElectroRAT is unique in that it was developed from scratch in Golang and was used to target multiple operating systems running macOS, Linux and Windows.

The cryptocurrency-related trojanized apps include two trade management apps “Jamm” and “eTrade“. A Third application “DaoPoker” is a cryptocurrency poker app. The binaries are also hosted on websites built specifically for the ElectroRAT campaign.

In addition, the fraudsters created fake accounts to help market the apps via cryptocurrency and blockchain-related forums. Unsuspecting users were then enticed to download the malware-infested fake apps to their systems.

As part of Intezer’s analysis, there appears to be approximately 6,500 victims that fell victim to the campaign at the time of the blog post.

“Once a victim runs the application, an innocent GUI will open, while ElectroRat runs hidden in the background as ‘mdworker’,” Intezer stated.

Moreover, Intezer added ElectroRAT has numerous capabilities such as “keylogging, taking screenshots, uploading files from disk, downloading files and executing commands on the victim’s console.”

For more details on ElectroRAT, readers can check out recent Tweet from Twitter user AbbyMCH:

[1/7] Operation #ElectroRAT is a new campaign that takes sizable measures to steal crypto wallets. For more information about the operation – https://t.co/CWLnOevKir

The following is a technical analysis->@IntezerLabs

— Avigayil Mechtinger (@AbbyMCH) January 5, 2021

Readers can also check out related articles below for recent RAT and related threat campaigns.

Related Articles

• Russian threat actors use new ComRAT and Zebrocy malware in recent attacks
• New version of CRAT remote access trojan targets endpoints
• APT actors exploit legacy internet-facing vulnerabilities in combination with Zerologon to target organizations
• APT41 launches broad cyber campaign with multiple exploits
• APT33 uses a dozen botnets in targeted malware campaign
• Microsoft takes down 99 websites used by APT35/Phosphorus
• APT28 Group DDE attacks with Seduploader