Stealthy cross-platform malware could dispossess you of your crypto holdings

Cryptocurrency
(Image credit: Shutterstock)
Audio player loading…

As Bitcoin and other cryptocurrencies have once again reached record highs, a group of cybercriminals has been working for the past 12 months on a marketing campaign that uses custom malware (opens in new tab) to steal the contents of users' crypto wallets (opens in new tab).

The operation was discovered by Intezer Labs (opens in new tab) and it has been active since January of last year.

The custom malware for Windows, macOS and Linux devices is distributed through three separate trojanized apps and the cybercriminals responsible also used a network of fake companies, websites and social media profiles to dupe unsuspecting users.

The apps used in the operation include “Jamm”, “eTrade” and “DaoPoker. While the first two apps claimed to be cryptocurrency trading platforms, the third was a poker app that allowed users to make bets using cryptocurrency.

ElectroRAT

Once a user installs one of the apps in question on their devices, a remote access trojan (RAT (opens in new tab)) which Intezer has dubbed ElectroRAT serves as backdoor that allows the cybercriminals to log users' keystrokes, take screenshots, upload, download and install files on their systems as well as execute commands. To the cybercriminals credit, all three apps went undetected by antivirus software (opens in new tab).

Security researcher Avigayil Mechtinger at Intezer provided further insight on the operation and the custom malware used by the cybercriminals behind it in a new report (opens in new tab), saying:

“It is very uncommon to see a RAT written from scratch and used to steal personal information from cryptocurrency users. It is even more rare to see such a wide-ranging and targeted campaign that includes various components such as fake apps/websites and marketing/promotional efforts via relevant forums and social media.”

In order to locate its command and control server, ElectroRAT uses Pastebin (opens in new tab) pages published by a user who goes by the handle “Execmac”. Based on Execmac's profile (opens in new tab), these pages have received more than 6,700 views since the operation began in January of last year and Intezer believes that these page views correspond to the number of people infected by ElectroRAT.

If you have any of the three fake apps installed on your systems, it is highly recommended that you remove them immediately and you can use Intezer's Analyze (opens in new tab) tool to look for any traces of ElectroRAT running in memory on Windows or Linux.

Via Ars Technica (opens in new tab)

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.