Cyber criminals have been running a sophisticated operation to steal cryptocurrency from unsuspecting victims by luring them to fake exchange platforms and using a remote access tool (RAT) built from scratch to access their wallets.

The campaign, which has been running for a year, comprises domain registrations, websites, malicious applications, fake social media accounts and a previously undetected remote access tool (RAT) dubbed ElectroRAT, according to Intezer Labs researchers.

The hackers behind the operation have been enticing cryptocurrency users to join three apps named Jamm, eTrade and DaoPoker, loaded with ElectroRAT, by promoting them on popular forums such as bitcointalk. Fake users have been submitting promotional posts, while the apps were also given an online presence through the creation of fake Twitter and Telegram accounts.

Once any of these apps are installed on a victim’s machine, ElectroRAT is used to collect private keys to access victims’ wallets and steal cryptocurrency, such as Bitcoin, which has recently enjoyed a significant boom.

This tool is written in Golang and compiled to target popular operating systems including Windows, Linux and macOS, the security firm revealed having learned of the operation’s existence in December. 

“It is very uncommon to see a RAT written from scratch and used to steal personal information from cryptocurrency users,” said security researcher with Intezer Labs, Avigayil Mechtinger. 

“It is even more rare to see such a wide-ranging and targeted campaign that includes various components such as fake apps/websites and marketing/promotional efforts via relevant forums and social media.”

Once the applications are running, a graphical user interface (GUI) opens and ElectroRAT begins working in the background as “mdworker”. This is difficult to detect by antivirus software due to the way the binaries are written. 

The malware is extremely intrusive, however, and has various capabilities including keylogging, taking screenshots, uploading files from disk, downloading files and executing commands. These functions are roughly the same across all three Windows, Linux and macOS variants.

Machtinger added that the campaign reflects the growing prominence of the cryptocurrency market – led by the recent Bitcoin charge. The conventionally volatile cryptocurrency has been surging in recent months, with its value exploding lately to cross the $35,000 (roughly £25,000) threshold at the time of writing. As such, it’s attracted cyber criminals hoping to exploit this for financial gain.

The ElectroRAT campaign has already affected more than 6,500 users, based on the numbers of visitors to the pastebin pages used to locate the command and control servers. 

Intezer Labs has recommended that victims take measures to protect themselves immediately. This mitigation process includes killing the process, deleting all files relating to the malware, moving funds to a new wallet and changing all passwords.

Featured Resources

Security benefits of open virtualised RAN

How radio access network infrastructure strengthens and simplifies your security strategy

Download now

Are desktops doomed?

Trends in digital workspaces, VDI, and DaaS

Download now

The state of remote work

Preparing for business as usual – from anywhere

Download now

The total economic impact of Slack for technical teams

Cost savings and business benefits enabled by Slack

Download now