Cryptocurrency stealer for Windows, macOS, and Linux went undetected for a year


A pile of coins with the bitcoin logo sits atop a laptop keyboard.

Soaring cryptocurrency valuations have broken record after record over the past few years, turning people with once-modest holdings into overnight millionaires. One determined ring of criminals has tried to join the party using a wide-ranging operation that for the past 12 months has used a full-fledged marketing campaign to push custom-made malware written from scratch for Windows, macOS, and Linux devices.

The operation, which has been active since at least January 2020, has spared no effort in stealing the wallet addresses of unwitting cryptocurrency holders, according to a report published by security firm Intezer. The scheme includes three separate trojanized apps, each of which runs on Windows, macOS, and Linux. It also relies on a network of fake companies, websites, and social media profiles to win the confidence of potential victims.

Uncommonly stealthy

The apps pose as benign software that’s useful to cryptocurrency holders. Hidden inside is a remote access trojan that was written from scratch. Once an app is installed, ElectroRAT—as Intezer has dubbed the backdoor—then allows the crooks behind the operation to log keystrokes, take screenshots, upload, download, and install files, and execute commands on infected machines. In a testament to their stealth, the fake cryptocurrency apps went undetected by all major antivirus products.

“It is very uncommon to see a RAT written from scratch and used to steal personal information of cryptocurrency users,” researchers wrote in the Intezer report. “It is even more rare to see such a wide-ranging and targeted campaign that includes various components such as fake apps and websites, and marketing/promotional efforts via relevant forums and social media.”

The three apps that were used to infect targets were called “​Jamm,​” “​eTrade,”​ and “​DaoPoker.​” The first two apps claimed to be a cryptocurrency trading platform. The third was a poker app that allowed bets with cryptocurrency.

The crooks used fake promotional campaigns on cryptocurrency-related forums such as bitcointalk and SteemCoinPan. The promotions, which were published by fake social media users, led to one of three websites, one for each of the available trojanized apps. ElectroRAT is written in the Go programming language.

The image below summarizes the operation and the various pieces it used to target cryptocurrency users:

Intezer

Tracking Execmac

ElectroRAT uses Pastebin pages published by a user named “Execmac” to locate its command-and-control server. The user’s profile page shows that since January 2020 the pages have received more than 6,700 page views. Intezer believes that the number of hits roughly corresponds to the number of people infected.

The security firm said that Execmac in the past has had ties to the Windows trojans Amadey and KPOT, which are available for purchase in underground forums.

“A reason behind this [change] could be to target multiple operating systems,” Intezer’s post speculated. “Another motivating factor is this is an unknown Golang malware, which has allowed the campaign to fly under the radar for a year by evading all Antivirus detections.”

The best way to know if you’ve been infected is to look for the installation of any of the three apps mentioned earlier. The Intezer post also provides links that Windows and Linux users can use to detect ElectroRAT running in memory. People who have been infected should disinfect their systems, change all passwords, and move funds to a new wallet.



Source link

12 Comments

  1. I don’t even know how I ended up here, but I thought this post was good.
    I do not know who you are but definitely you are going to a
    famous blogger if you are not already 😉 Cheers!

  2. Aw, this was a really good post. Spending some time and actual effort
    to make a really good article… but what can I say… I procrastinate a whole lot and never seem to get
    anything done.

  3. Excellent post. I was checking constantly this weblog and I am inspired!
    Extremely helpful info specially the remaining
    section 🙂 I maintain such info much. I used to
    be seeking this particular info for a very long time. Thanks and
    good luck.

  4. Its like you read my mind! You appear to know a lot about this, like you
    wrote the book in it or something. I think that you can do with a few pics to drive the message home a bit,
    but instead of that, this is fantastic blog. An excellent read.
    I’ll certainly be back.

  5. Hi mates, nice piece of writing and good arguments commented
    at this place, I am really enjoying by these.

  6. Hello There. I found your blog using msn. This is an extremely well written article.
    I will be sure to bookmark it and come back to read more of your useful information. Thanks for the post.
    I will definitely return.

  7. My brother recommended I may like this website. He was once entirely right.
    This publish truly made my day. You can not imagine simply
    how so much time I had spent for this information! Thanks!

  8. I like what you guys tend to be up too. Such clever work
    and reporting! Keep up the very good works guys I’ve included you guys to my personal blogroll.

  9. Hello, i think that i saw you visited my blog thus i came to “return the favor”.I’m trying to find things to enhance my website!I
    suppose its ok to use a few of your ideas!!

  10. Today, while I was at work, my cousin stole my iPad and tested to
    see if it can survive a 40 foot drop, just so she can be a youtube sensation. My apple ipad is now
    broken and she has 83 views. I know this is completely off topic but I had to
    share it with someone!

  11. Hello! I realize this is sort of off-topic however I needed to ask.
    Does running a well-established website like yours require a large amount of work?
    I’m completely new to blogging but I do write in my diary everyday.
    I’d like to start a blog so I can share my experience and feelings online.
    Please let me know if you have any suggestions or tips for
    brand new aspiring blog owners. Thankyou!

  12. Филиал коммунистической пропаганды в Ченстохове says:

    Unquestionably believe that which you said. Your favorite reason appeared to
    be on the net the easiest thing to be aware of. I say to
    you, I certainly get irked while people think about worries that they just do not know about.
    You managed to hit the nail upon the top as well as defined out the whole thing without having side effect , people can take a signal.
    Will likely be back to get more. Thanks

Leave a Reply

Your email address will not be published.

Back to top button