This Elusive Malware Has Been Targeting Crypto Wallets for a Year

With custom domains and apps, advertising and a social media presence, the ElectroRAT malware operation targeting crypto wallets is extensive.

AccessTimeIconJan 6, 2021 at 6:33 p.m. UTC
Updated Aug 19, 2021 at 6:31 a.m. UTC

Presented By Icon

Election 2024 coverage presented by

Stand with crypto

Operating for a year now, insidious malware ElectroRAT is bringing 2020 into 2021 and targeting crypto wallets.

A researcher at cybersecurity firm Intezer has identified and documented the inner workings of ElectroRAT, which has been targeting and draining victims’ funds.

  • Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
    13:18
    Bitcoin Mining in the U.S. Will Become 'a Lot More Decentralized': Core Scientific CEO
  • Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
    05:10
    Binance to Discontinue Its Nigerian Naira Services After Government Scrutiny
  • The first video of the year 2024
    04:07
    The first video of the year 2024
  • The last regression video of the year 3.67.0
    40:07
    The last regression video of the year 3.67.0
  • According to the researcher, Avigayil Mechtinger, the malware operation includes a variety of detailed tools that dupes victims, including a “marketing campaign, custom cryptocurrency-related applications and a new Remote Access Tool (RAT) written from scratch.”

    The malware is called ElectroRAT because it’s a remote access tool that was embedded in apps built on Electron, an app-building platform. Hence, ElectroRAT. 

    “It's unsurprising to see novel malware being published, especially during a bull market in which the value of cryptocurrency is shooting up and making such attacks more profitable,” said Jameson Lopp, chief technology officer (CTO) at crypto custody startup Casa

    Over the past few months, bitcoin and other cryptocurrencies have entered a bull market, seeing prices skyrocket across the industry.

    What is ElectroRAT?

    ElectroRat malware is written in the open-source programming language Golang, which is good for cross-platform functionality and is targeted at multiple operating systems, including macOS, Linux, and Windows. 

    As part of the malware operation, the attackers set up “domain registrations, websites, trojanized applications and fake social media accounts,” according to the report. 

    In the report, Mechtinger notes that while attackers commonly try to collect private keys used to access people’s wallets, seeing original tools like ElectroRAT and the various apps written “from scratch” and targeting multiple operating systems is quite rare. 

    A visual summary of the scope of ElectroRAT
    A visual summary of the scope of ElectroRAT

    “Writing the malware from scratch has also allowed the campaign to fly under the radar for almost a year by evading all antivirus detections,” wrote Mechtinger in the report. 

    Lopp echoed these comments, and said it’s particularly interesting the malware is being compiled for and targeting all three major operating systems. 

    “The value majority of malware tends to be Windows-only due to the wide install base and the weaker security of the operating system,” said Lopp. “In the case of bitcoin, malware authors may reason that a lot of early adopters are more technical people who run Linux.”

    How it works

    To lure in victims, the ElectroRat attackers created three different domains and apps operating on multiple operating systems.

    The pages to download the apps were created specifically for this operation and designed to look like legitimate entities. 

    The associated apps specifically appeal to and target cryptocurrency users. “Jamm” and “eTrade” are trade management apps; “DaoPoker” is a poker app that uses cryptocurrency. 

    Using fake social media and user profiles, as well as paying a social media influencer for their advertising, the attacker pumped the apps, including promoting them in targeted cryptocurrency and blockchain forums like bitcointalk and SteemCoinPan. The posts encouraged readers to look at the professional-looking websites and download the apps when, in reality, they were also downloading the malware. 

    The front end of the eTrade app
    The front end of the eTrade app

    For example, the DaoPoker Twitter page had 417 followers while a social media advertiser with over 25,000 followers on Twitter promoted eTrade. As of writing, the DaoPoker twitter page is still live. 

    While the apps look legitimate at first glance on the front end, they are running nefarious background activities, targeting users' cryptocurrency wallets. They are also still active. 

    “Hackers want to get your cryptocurrency, and they are willing to go far with it – spend months of work to create fake companies, fake reputation and innocent-looking applications that hide malware to steal your coins,” said Mechtinger. 

    What it does

    “ElectroRAT has various capabilities,” said Mechtinger in an email. “It can take screenshots, key logs, upload folders/files from a victim's machine and more. Upon execution, it establishes commands with its command-and control-server and waits for commands.” 

    The report suggests the malware specifically targets cryptocurrency users for the purpose of attacking their crypto wallets, noting that victims were observed commenting on posts related to the popular Ethereum wallet app Metamask. Based on the researchers’ observations of the malware’s behaviors, it’s possible more than 6.5 thousand people had been compromised. 

    How to avoid it

    The first step is the best step and that’s not to download any of these apps, full stop. 

    In general, when you’re looking into new apps, Lopp suggests avoiding shady websites and forums. Only install software that is well-known and properly reviewed; look for apps with lengthy reputation histories and sizable install bases. 

    “Don't use wallets that store the private keys on your laptop/desktop; private keys should be stored on dedicated hardware devices,” said Lopp. 

    This point reinforces the importance of storing your crypto in cold hardware wallets and writing down seed phrases rather than just storing them on your computer. Both of these techniques make them inaccessible to malware that trolls your online activity. 

    A victim commenting on the malicious activity of one of the ElectroRAT apps
    A victim commenting on the malicious activity of one of the ElectroRAT apps

    There are secondary steps that can be taken if you think your computer might have already been compromised. 

    “To make sure you are not infected we recommend [you] take proactive action and scan your devices for malicious activity,” said Mechtinger.

    In the report, Mechtinger suggests that if you think you’re a victim of this scam, you need to kill the processes running and delete all files related to the malware. You also need to make sure your machine is clean and running non-malicious code. Intezer has created Endpoint Scanner for Windows environments and Intezer Protect, a free community tool for Linux users. More detailed information about detection can be found in the original report. 

    And, of course, you should move your funds to a new crypto wallet and change all your passwords. 

    A higher bitcoin price attracts more malware

    With the price of bitcoin continuing to rise, Mechtinger doesn’t see attacks like this slowing down. In fact, they’re likely to increase. 

    “There are high capitals at stake, which is classic for financially motivated hackers,” she said. 

    Lopp said we will see attackers devote greater and greater resources to coming up with new ways to part people from their private keys. 

    “While a novel attack takes much greater effort to develop, the rewards are also potentially higher because it's more likely to fool people because the knowledge of that style of attack has not been disseminated through the user base,” he said.  “That is, people are more likely to expose themselves to the attack unknowingly.”

    Disclosure

    Please note that our privacy policy, terms of use, cookies, and do not sell my personal information have been updated.

    CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of the Bullish group, which owns and invests in digital asset businesses and digital assets. CoinDesk employees, including journalists, may receive Bullish group equity-based compensation. Bullish was incubated by technology investor Block.one.


    Learn more about Consensus 2024, CoinDesk's longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to consensus.coindesk.com to register and buy your pass now.