The ElectroRAT malware has been attempting to steal cryptoassets, including bitcoin (BTC), litecoin (LTC), ethereum (ETH), and monero (XMR), among others, from thousands of victims for the past year, according to a researcher at the New York-based cybersecurity company Intezer Labs.
Intezer estimates the campaign has infected thousands of victims, “based on the number of unique visitors to the pastebin pages used to locate the command and control servers.”
As of early January 2021, the user’s pastes have attracted close to 6,500 unique users, according to data obtained by the cybersecurity firm.
The development is part of a larger trend involving the spike in popularity of crypto-focused worms written in Golang, an open-source programming language.
Avigayil Mechtinger, Security Researcher at Intezer, said the company discovered the wide-ranging operation last December, but believes it was launched in January 2020.
“This extensive operation is composed of a full-fledged marketing campaign, custom cryptocurrency-related applications and a new Remote Access Tool (RAT) written from scratch,” Mechtinger said, adding it involved domain “registrations, websites, trojanized applications, fake social media accounts and a new undetected RAT that we have named ElectroRAT.”
Developed to target a number of operating systems, including Windows, Linux, and MacOS, the remote access trojan (RAT) was created with the use of Electron, a framework used to build a desktop app, hence the name.
“It is rather common to see various information stealers trying to collect private keys to access victims’ wallets. However, it is rare to see tools written from scratch and used to target multiple operating systems for these purposes,” the researcher said. “The attacker behind this operation has lured cryptocurrency users to download trojanized applications by promoting them in dedicated online forums and on social media.”
According to the company, if you were, or suspect that you are a victim of this scam, take the following steps:
- Kill the process and delete all files related to the malware.
- Make sure your machine is clean and running 100% trusted code using Intezer’s tools mentioned above.
- Move your funds to a new wallet.
- Change all of your passwords.
Also, in a related development indicating the surge of multi-platform malware developed in Golang, Intezer recently discovered a worm that has been using its victims’ hardware to mine Monero. The malware targets public-facing services such as MySQL, Tomcat, Jenkins, and WebLogic.
“The worm attempts to spread across the network in order to run XMRig Miner on a large scale. The malware targets both Windows and Linux servers and can easily maneuver from one platform to the other,” Mechtinger said.
Crypto Security in 2021: More Threats Against DeFi and Individual Users
Teaching True Story: Trader Robbed of Nearly USD Half Million in Bitcoin