The IT security researchers at Intezer have discovered a new RAT (Remote Access Tool) that is capable of targeting Windows, Linux, and MacOS. The malware is capable of stealing private keys to access victims’ wallets and also run keylogger on a targeted device.

Researchers dubbed the attack as ElectroRat. The malware is written in Go programming language and currently being spread through different dedicated online forums and social media platforms where its authors are luring cryptocurrency owners to download applications that are trojanized.

According to report at least 6,500 victims have been infected, based on the number of unique visitors to the Pastebin pages used to locate command and control (C2) servers.

According to Intezer researchers “ElectroRAT is extremely intrusive.” It has various capabilities such as keylogging, taking screenshots, uploading files from disk, downloading files and executing commands on the victim’s console.

The Attack:

The attacker first lured cryptocurrency users to download trojanized applications. The trojanized applications are applications developed by the attacker and hosted on websites which were also developed by the attacker. These applications, which were promoted on cryptocurrency and block chain-related forums such as bitcoin talk and ​SteemCoinPan​, relate directly to cryptocurrency.

Researchers said, “ElectroRAT is embedded inside of these applications, so on execution a victim will see the application’s GUI, however ElectroRAT will run hidden in the background.”

These apps were built using app-building platform Electron, with ElectroRAT embedded inside the app. Once a victim opens and runs the application, ElectroRat is running secretly in the background as “mdworker”. Then, the RAT targets victims’ private crypto keys.

According to researchers a private key allows a user to access his or her cryptocurrency wallet; access to this would give attackers the ability to take hold of victim wallets.

Upon closer inspection, researchers found that Electro RAT contacts raw Pastebin pages to retrieve the C2 IP address. Upon viewing the Pastebin pages, researchers noted that the first pages were posted on Jan. 8, 2020 – indicating the operation has been active for at least a year.

Although researchers do not have information about how much money was stolen yet.

Researchers said, “It is very uncommon to see a RAT written from scratch and used to steal personal information of cryptocurrency users. It is even rarer to see such a wide-ranging and targeted campaign that includes various components such as fake apps and websites, and marketing/promotional efforts via relevant forums and social media.”

Recommendations:

• Victims should make sure to delete all files related to the malware, move their funds to a new wallet and change all of their passwords.
• It is highly recommended to not download application from unauthorized sources.
• Always use strong password and change it in timely manner.
• Make sure you are working on updated operating system and all applications are updated as well.