ElectroRAT

The boom of the cryptocurrency sector that started several years ago and is still going strong today was bound to catch evil hackers' attention. Indeed, the number of malware threats unleashed in the wild in the past year that targeted cryptocurrency users predominantly shows significant growth. Another observable trend among cybercriminals is the increased adoption of the Go programming language. Compared to the already established and rather mainstream C, C++, and C#, using Go offers several distinct advantages. Malware code written in Go is still somewhat better in avoiding detection. It is harder for reverse engineering, and due to its binaries being easier to compile, evil operators can set up multiple-platform threats quickly.

One of the latest threats that fall in this category was named ElectroRAT by the info-sec researchers at Intezer Labs, who first detected it. ElectroRAT is equipped with numerous intrusive capabilities geared towards harvesting and exfiltrating sensitive data from the compromised devices. It can set up keylogging routines, take screenshots, execute arbitrary commands, download additional files, or upload selected files to a repository under hackers' control. Despite the multitude of uses that such a threat could have, the researchers are confident that ElectroRAT's main purpose was to obtain cryptocurrency wallet addresses, which will be drained of funds subsequently. An estimated 6,500 users have become infected with ElectroRAT. The number was based on the times that a Pastebin URL containing the address of the threat's Command and Contro(C&C, C2) servers has been accessed.

Although ElectroRAT was detected in December 2020, the threatening campaign dedicated to its distribution is estimated to have begun at the very start of the year, in the first days of January 2020. The hackers created three separate fake cryptocurrency applications named DaoPoker, Jamm and eTrade/Kintum to carry ElectorRAT's code. DaoPoker posed as a poker application that allows the use of cryptocurrencies, while the other two malware-laced applications pretended to be an easy-to-use cryptocurrency trade platform. Each application had a dedicated website set up for it - daopker.com, jamm.to and kintum.io. The hackers created versions of all three of the applications for each of the mainstream platforms - Windows, Mac and Linux. Unsuspecting users were directed towards the insidious applications and their dedicated corrupted websites through advertisements posted by the hackers on different social media platforms as well as specialized cryptocurrency forums.

Users who engage with cryptocurrency actively should start to be more alert when it comes to malware threats trying to intercept, harvest and exfiltrate sensitive private data from their devices.