As Bitcoin and other cryptocurrencies have once again reached record highs, a group of cybercriminals has been working for the past 12 months on a marketing campaign that uses custom malware to steal the contents of users' crypto wallets.
The operation was discovered by Intezer Labs and it has been active since January of last year.
The custom malware for Windows, macOS and Linux devices is distributed through three separate trojanized apps and the cybercriminals responsible also used a network of fake companies, websites and social media profiles to dupe unsuspecting users.
- We've put together a list of the best crypto wallets around
- Keep your devices protected online with the best antivirus software
- Also check out our roundup of the best crypto exchanges
The apps used in the operation include “Jamm”, “eTrade” and “DaoPoker. While the first two apps claimed to be cryptocurrency trading platforms, the third was a poker app that allowed users to make bets using cryptocurrency.
Once a user installs one of the apps in question on their devices, a remote access trojan (RAT) which Intezer has dubbed ElectroRAT serves as backdoor that allows the cybercriminals to log users' keystrokes, take screenshots, upload, download and install files on their systems as well as execute commands. To the cybercriminals credit, all three apps went undetected by antivirus software.
Security researcher Avigayil Mechtinger at Intezer provided further insight on the operation and the custom malware used by the cybercriminals behind it in a new report, saying:
“It is very uncommon to see a RAT written from scratch and used to steal personal information from cryptocurrency users. It is even more rare to see such a wide-ranging and targeted campaign that includes various components such as fake apps/websites and marketing/promotional efforts via relevant forums and social media.”
In order to locate its command and control server, ElectroRAT uses Pastebin pages published by a user who goes by the handle “Execmac”. Based on Execmac's profile, these pages have received more than 6,700 views since the operation began in January of last year and Intezer believes that these page views correspond to the number of people infected by ElectroRAT.
If you have any of the three fake apps installed on your systems, it is highly recommended that you remove them immediately and you can use Intezer's Analyze tool to look for any traces of ElectroRAT running in memory on Windows or Linux.
- We've also highlighted the best endpoint protection
Via Ars Technica