The undetected ElectroRat malware is capable of stealing private keys to access victims’ wallets and also run keylogger on a targeted device.
The IT security researchers at Intezer have discovered a new RAT (Remote Access Tool) that is capable of targeting Windows, Linux, and MacOS. Its prime target is stealing cryptocurrency, considering its surging value where 1 Bitcoin is currently around $34,000.
Dubbed ElectroRat by researchers; the malware is written in Golang and currently being spread through different dedicated online forums and social media platforms where its authors are luring cryptocurrency owners to download applications that are trojanized.
Some of the prominent forums involved in promoting these services are Bitcointalk and SteemCoinPan.
It is worth noting that the applications claim to offer crypto-related services such as trading and wallet management. So far, researchers have identified three websites that have been involved in the scam including:
- Jamm (.) to
- Daopoker (.) com
- Kintum (.) io
Once installed, these applications function as infostealer to collect private keys to access victims’ wallets. Additionally, the malware is equipped with a keylogger, takes screenshots, executes commands, uploads, and downloads files from/on the targeted device.
What’s worse is that according to researchers, the malware has already claimed thousands of victims around the globe. This indicates that the campaign is successful in achieving its target so far and convincing enough to trick users into downloading the malware-infected applications.
In a blog post, Intezer’s researchers explained the sophistication of the campaign stating that:
The campaign includes Domain registrations, websites, trojanized applications, fake social media accounts, and a new undetected RAT.
We estimate this campaign has already infected thousands of victims—based on the number of unique visitors to the Pastebin pages used to locate the command and control servers.
Furthermore, researchers have warned users to be on the lookout given that ElectroRat appears to be “extremely intrusive.”
If you believe your system has been infected, start the cleanup process immediately, move your funds to a new wallet, and change passwords for every service that you have been login into.
The following is a technical analysis->@IntezerLabs
— Avigayil Mechtinger (@AbbyMCH) January 5, 2021