A ransomware has affected users of over three apps in the past year and drained their wallets of hundreds of Bitcoin.
The rat wants Bitcoin
A new bug identified by researchers that mimics a crypto trading program is said to have affected thousands of users in the past year, a report on security publication Bleeping Computer stated.
Already thousands of crypto wallets stolen. Extensive campaign includes written from scratch RAT hidden in trojanized applications.
— Intezer (@IntezerLabs) January 5, 2021
Called “ElectroRAT,” as it infects Electron applications, the virus is a remote access trojan (RAT) that was discovered in December 2020 and targets Windows, Linux, and macOS users.
Upon infection, the virus overrides application functions and makes them function as either crypto trading apps (on Jamm and eTrade) or a crypto poker app (DaoPoker). When an unsuspecting user accesses any of these, a fake interface pops up while the ElectroRAT works in the background.
Its operation is as follows: The malware infects a victim computer, engages in keylogging, takes screenshots, uploads files from (the victim’s) disk, downloads other critical files, and executes commands on the victim’s console. It is then able to access and transfer any stored crypto that it finds.
To further trap victims, such “trojanized” apps, the report said, were promoted on various social media outlets, like Twitter, and other messaging apps or forums popular among crypto users, such as bitcointalk and Telegram.
Over 6,500 instances
Intezer, a security firm that first found out about the virus, noted in its official report that the three apps were seemingly downloaded by victims between January and December 2020. In addition, one of the Pastebin pages used by ElectoRAT to access the command-and-control (C2) server—or a server that helps a fraudster to control a botnet and sends malicious commands to its members—was accessed over 6,500 times during the period.
The firm said:
“The trojanized application and the ElectroRAT binaries are either low detected or completely undetected in VirusTotal.”
Intezer added that it was “even more rare” to see the type of “wide-ranging and targeted campaign” deployed by ElectroRAT hackers, one that included multiple facets like the creation of fake apps and websites, and marketing those out to lure additional victims.
Meanwhile, Intezer advises users of these apps—Jamm, eTrade, or DaoPoker—to remove all related files from their systems and use admin tools to “kill” their processes. And users whose cryptocurrencies haven’t been drained yet are advised by Intezer to immediately transfer all their cryptocurrencies to another wallet.