A stealthy year-long malware operation was discovered in which threat actors created fake cryptocurrency apps to trick users into installing a new strain of malware on their systems, in order to steal the funds of the victims.
The campaign was discovered last month by security researchers at Intezer Labs and they believe that the group began spreading their malware as early as January, 2020.
Intezer Labs said the hackers relied on three cryptocurrency-related apps for their scheme. The fake apps were named Jamm, eTrade/Kintum, and DaoPoker, and were hosted on dedicated websites at jamm[.]to, kintum[.]io, and daopker[.]com, respectively.
The first two apps claimed to provide a simple platform to trade cryptocurrency, whereas the third was a cryptocurrency poker app.
All the three apps were available for Windows, Mac, and Linux, and were built on top of Electron, an app-building framework.
The app has a new malware strain hidden inside it, which has been named by the researchers as ElectroRAT.
The researchers stated that the ElectroRAT is extremely intrusive and it has many capabilities such as keylogging, taking screenshots, uploading files from disk, downloading files, and executing commands on the victim’s console.
The malware was believed to be used to collect cryptocurrency wallet keys and then drain victims’ accounts.
In order to spread the trojanized applications, the hackers posted ads for the three apps and their websites on niche cryptocurrency forums, or they used social media accounts.
Because of a quirk in the malware’s design, which retrieved the address of its command-and-control server from a Pastebin URL, this operation might have infected around 6,500 users — the total number of times the Pastebin URLs were accessed.
It is recommended that cryptocurrency users who have lost funds over the past year but were not able to identify the source of their breach must check to see if they have downloaded and installed any of the three apps mentioned above.
The security researchers also stated that ElectroRAT was written in Go, a programming language that is gaining popularity among the malware authors over the past year. Go is gaining popularity as it is difficult to spot a Go malware easily and it is complicated to analyze a Go malware than malware written in C, C++ or C#.
Besides Go also allows operators to easily compile binaries for different platforms easier than other languages, allowing malware operators to create multi-platform malware easier than before.
Image Credits : QuickHealBlog