Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

New ElectroRAT employed in a wide-ranging operation targeting cryptocurrency users

Researchers uncovered a large scale operation targeting cryptocurrency users with a previously undetected multiplatform RAT named ElectroRAT. Security researchers from Intezer uncovered a large scale operation targeting cryptocurrency users with a previously undetected RAT named ElectroRAT. The campaign was uncovered in December, but according to the experts is active since at least January 2020. The […]

ElectroRAT

Researchers uncovered a large scale operation targeting cryptocurrency users with a previously undetected multiplatform RAT named ElectroRAT.

Security researchers from Intezer uncovered a large scale operation targeting cryptocurrency users with a previously undetected RAT named ElectroRAT.

The campaign was uncovered in December, but according to the experts is active since at least January 2020.

The campaign appears well arranged, operators carried out a full-fledged marketing campaign, employed a custom cryptocurrency-related applications and the multiplatform RAT dubbed ElectroRAT.

“The campaign includes: Domain registrations, websites, trojanized applications, fake social media accounts and a new undetected RAT that we have named ElectroRAT. ElectroRAT is written in Golang and compiled to target multiple operating systems: Windows, Linux and MacOS.” reads the analysis published by Intezer.

“It is rather common to see various information stealers trying to collect private keys to access victims’ wallets. However, it is rare to see tools written from scratch and used to target multiple operating systems for these purposes.”

ElectroRAT is written in Golang, the analysis of the number of unique visitors to the Pastebin pages used to locate the C2 servers revealed it has already infected thousands of victims.

ElectroRAT

The attackers developed three different malicious applications as part of this campaign, the cryptocurrency trade management applications “Jamm” and “eTrade” and the cryptocurrency poker app “DaoPoker”. 

Each application has a Windows, Linux and Mac version and its binaries are hosted on websites specifically set up for this campaign.

The above apps were advertised in cryptocurrency and blockchain-related forums, including bitcointalk and SteemCoinPan.

The attackers also created Twitter and Telegram profiles for the “DaoPoker” app and involved a paid social media influencer to advertise the app.

Once a victim runs the application, an innocent GUI will open, while ElectroRat runs hidden in the background as “mdworker”.

Upon launching the apps on a victim’s computer, they would show a foreground user interface designed to divert the victims’ attention from the malicious ElectroRAT background process.

The malicious application and the ElectroRAT binaries have a low detection rate in VirusTotal.

“ElectroRAT is extremely intrusive. It has various capabilities such as keylogging, taking screenshots, uploading files from disk, downloading files and executing commands on the victim’s console. The malware has similar capabilities for its Windows, Linux and MacOS variants.” continues the variant.

The malware is able to steal all funds from the victim’s wallet.

Users that have executed the Jamm​, eTrade, or DaoPoker apps on their computer, should kill the related processes and remove all associated files.

“It is very uncommon to see a RAT written from scratch and used to steal personal information from cryptocurrency users. It is even more rare to see such a wide-ranging and targeted campaign that includes various components such as fake apps/websites and marketing/promotional efforts via relevant forums and social media.”

“ElectroRAT is the latest example of attackers using Golang to develop multi-platform malware.” Intezer concludes.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ElectroRAT)

[adrotate banner=”5″]

[adrotate banner=”13″]