Intezer Labs said it discovered fake cryptocurrency apps laced with ElectroRAT, a replacement Go-based malware strain.
Security firm Intezer Labs said it discovered a covert year-long malware operation where cybercriminals created fake cryptocurrency apps so as to trick users into installing a replacement strain of malware on their systems, with the apparent end goal of stealing victims’ funds.
The campaign was discovered last month in December 2020, but researchers said they believe the group began spreading their malware as early as January 8, 2020.
Intezer Labs said the hackers relied on three cryptocurrency-related apps for their scheme.
The fake apps were named Jamm, eTrade/Kintum, and DaoPoker, and were hosted on dedicated websites at jamm[.]to, kintum[.]io, and daopker[.]com, respectively.
The first two apps claimed to provide a simple platform to trade cryptocurrency, while the third was a cryptocurrency poker app.
All three apps came in versions for Windows, Mac, and Linux, and were built on top of Electron, an app-building framework.
But Intezer researchers say the apps also came with a touch surprise within the sort of a replacement malware strain that was hidden inside, which the company’s researchers named ElectroRAT.
“ElectroRAT is extremely intrusive,” researchers said today during a report. “It has various capabilities like keylogging, taking screenshots, uploading files from disk, downloading files, and executing commands on the victim’s console.”
Intezer researchers believe the malware was being used to collect cryptocurrency wallet keys and then drain victims’ accounts.
To spread the trojanized applications, Intezer says the hackers posted ads for the three apps and their websites on niche cryptocurrency forums, or they used social media accounts.
Because of a quirk within the malware’s design, which retrieved the address of its command and control server from a Pastebin URL, Intezer believes this operation infected around 6,500 users — the total number of times the Pastebin URLs were accessed.
Image: Intezer Labs
Cryptocurrency users who lost funds over the past year but did not identify the source of their breach should check to see if they have downloaded and installed any of the three apps mentioned in this article.
As a side note, Intezer Labs also acknowledged that ElectroRAT was written in Go, a programing language that has slowly become more fashionable malware authors over the past year.
The reasons for Go’s rising popularity among malware authors are many and include the fact that detection of Go malware is still spotty, analyzing Go malware is usually more complicated than malware written in C, C++ or C#, and that Go also allows operators to easily compile binaries for different platforms easier than other languages, allowing malware operators to create multi-platform malware easier than before.