(Subscribe to our Today's Cache newsletter for a quick snapshot of top 5 tech stories. Click here to subscribe for free.)
A wide-ranging marketing operation aimed at cryptocurrency holders to collect their private keys and drain wallets was discovered by a team of security researchers.
The marketing campaign included custom cryptocurrency-related applications, domain registrations, ‘trojanised’ applications, fake social media accounts and a new Remote Access Tool (RAT), named ElectroRAT, which is written from scratch.
The campaign was detected in December, and is estimated to have been initiated in January last year, the researchers at cybersecurity firm Intezer said in a blog post.
“It is rather common to see various information stealers trying to collect private keys to access victims’ wallets,” Intezer said. “However, it is rare to see tools written from scratch and used to target multiple operating systems for these purposes.”
The attacker lured cryptocurrency users into downloading trojanised apps by promoting them on online forums and social media. Intezer estimates at least 6,500 user wallets may have already been infected.
Attacker has built three different trojanised apps for Windows, Linux and Mac versions. The applications are directly related to cryptocurrency, such as 'Jamm’ and ‘eTrade’, which are cryptocurrency trade management applications and ‘DaoPoker’, a cryptocurrency poker app.
These were promoted in cryptocurrency and blockchain-related forums like bitcointalk and SteemCoinPan. Readers who downloaded the applications, installed malware into their systems.
To make the applications look genuine, attacker created Twitter and Telegram profiles for the DaoPoker application, and paid a social media influencer to advertise the app.
The malware used to launch the attack were purchased on the Dark Web. ElectroRAT works similar to trojans but is written from scratch in Golang, an open-source programming language. Intezer researchers said that this was done to target multiple operating systems as Golang is incredibly efficient in multi-platform use.
“Writing the malware from scratch has also allowed the campaign to fly under the radar for almost a year by evading all Antivirus detections,” Intezer said.
The tool is extremely intrusive and has various capabilities like keylogging, taking screenshots, uploading files from disk, downloading files and executing commands on the victim’s console.
Intezer suggests that if a user suspects that they are victims of this scam, they must kill the process and delete all files related to the malware. It also advised users to move their funds to a new wallet after changing all the passwords.