This Elusive Malware Has Been Targeting Crypto Wallets for a Year

Operating for a year now, insidious malware ElectroRAT is bringing 2020 into 2021 and targeting crypto wallets.

A researcher at cybersecurity firm Intezer has identified and documented the inner workings of ElectroRAT, which has been targeting and draining victims’ funds.

According to the researcher, Avigayil Mechtinger, the malware operation includes a variety of detailed tools that dupes victims, including a “marketing campaign, custom cryptocurrency-related applications and a new Remote Access Tool (RAT) written from scratch.”

The malware is called ElectroRAT because it’s a remote access tool that was embedded in apps built on Electron, an app-building platform. Hence, ElectroRAT. 

“It's unsurprising to see novel malware being published, especially during a bull market in which the value of cryptocurrency is shooting up and making such attacks more profitable,” said Jameson Lopp, chief technology officer (CTO) at crypto custody startup Casa. 

Over the past few months, bitcoin and other cryptocurrencies have entered a bull market, seeing prices skyrocket across the industry.

ElectroRat malware is written in the open-source programming language Golang, which is good for cross-platform functionality and is targeted at multiple operating systems, including macOS, Linux, and Windows. 

As part of the malware operation, the attackers set up “domain registrations, websites, trojanized applications and fake social media accounts,” according to the report. 

In the report, Mechtinger notes that while attackers commonly try to collect private keys used to access people’s wallets, seeing original tools like ElectroRAT and the various apps written “from scratch” and targeting multiple operating systems is quite rare. 

“Writing the malware from scratch has also allowed the campaign to fly under the radar for almost a year by evading all antivirus detections,” wrote Mechtinger in the report. 

Lopp echoed these comments, and said it’s particularly interesting the malware is being compiled for and targeting all three major operating systems. 

“The value majority of malware tends to be Windows-only due to the wide install base and the weaker security of the operating system,” said Lopp. “In the case of bitcoin, malware authors may reason that a lot of early adopters are more technical people who run Linux.”

To lure in victims, the ElectroRat attackers created three different domains and apps operating on multiple operating systems.

The pages to download the apps were created specifically for this operation and designed to look like legitimate entities. 

The associated apps specifically appeal to and target cryptocurrency users. “Jamm” and “eTrade” are trade management apps; “DaoPoker” is a poker app that uses cryptocurrency. 

Using fake social media and user profiles, as well as paying a social media influencer for their advertising, the attacker pumped the apps, including promoting them in targeted cryptocurrency and blockchain forums like bitcointalk and SteemCoinPan. The posts encouraged readers to look at the professional-looking websites and download the apps when, in reality, they were also downloading the malware. 

For example, the DaoPoker Twitter page had 417 followers while a social media advertiser with over 25,000 followers on Twitter promoted eTrade. As of writing, the DaoPoker twitter page is still live. 

While the apps look legitimate at first glance on the front end, they are running nefarious background activities, targeting users' cryptocurrency wallets. They are also still active. 

“Hackers want to get your cryptocurrency, and they are willing to go far with it – spend months of work to create fake companies, fake reputation and innocent-looking applications that hide malware to steal your coins,” said Mechtinger. 

“ElectroRAT has various capabilities,” said Mechtinger in an email. “It can take screenshots, key logs, upload folders/files from a victim's machine and more. Upon execution, it establishes commands with its command-and control-server and waits for commands.” 

The report suggests the malware specifically targets cryptocurrency users for the purpose of attacking their crypto wallets, noting that victims were observed commenting on posts related to the popular Ethereum wallet app Metamask. Based on the researchers’ observations of the malware’s behaviors, it’s possible more than 6.5 thousand people had been compromised. 

The first step is the best step and that’s not to download any of these apps, full stop. 

In general, when you’re looking into new apps, Lopp suggests avoiding shady websites and forums. Only install software that is well-known and properly reviewed; look for apps with lengthy reputation histories and sizable install bases. 

“Don't use wallets that store the private keys on your laptop/desktop; private keys should be stored on dedicated hardware devices,” said Lopp. 

This point reinforces the importance of storing your crypto in cold hardware wallets and writing down seed phrases rather than just storing them on your computer. Both of these techniques make them inaccessible to malware that trolls your online activity. 

There are secondary steps that can be taken if you think your computer might have already been compromised. 

“To make sure you are not infected we recommend [you] take proactive action and scan your devices for malicious activity,” said Mechtinger.

In the report, Mechtinger suggests that if you think you’re a victim of this scam, you need to kill the processes running and delete all files related to the malware. You also need to make sure your machine is clean and running non-malicious code. Intezer has created Endpoint Scanner for Windows environments and Intezer Protect, a free community tool for Linux users. More detailed information about detection can be found in the original report. 

And, of course, you should move your funds to a new crypto wallet and change all your passwords. 

With the price of bitcoin continuing to rise, Mechtinger doesn’t see attacks like this slowing down. In fact, they’re likely to increase. 

“There are high capitals at stake, which is classic for financially motivated hackers,” she said. 

Lopp said we will see attackers devote greater and greater resources to coming up with new ways to part people from their private keys. 

“While a novel attack takes much greater effort to develop, the rewards are also potentially higher because it's more likely to fool people because the knowledge of that style of attack has not been disseminated through the user base,” he said.  “That is, people are more likely to expose themselves to the attack unknowingly.”