New ElectroRAT Malware Targets Cryptocurrency Users

Summary

Intezer researchers discovered a new remote access trojan (RAT), dubbed ElectroRAT, targeting Windows, Linux, and MacOS cryptocurrency users. The threat actors engage in an extensive operation – assessed to have begun January 2020 – composed of marketing campaigns and the creation of custom applications. These applications were named Jamm, eTrade/Kintum, and DaoPoker, and were promoted via social media and dedicated cryptocurrency forums. ElectroRAT is extremely invasive and is capable of keylogging, taking screenshots, uploading files from disk, downloading files, and executing commands on the victim's console. The malware’s command and control (C2) server URL was hosted on Pastebin and has been accessed by 6,500 users. Researchers stated that, at the time of their analysis and reporting, both the trojanized applications and the malware binaries either have low detection rates or are completely undetected by VirusTotal.

Recommendations

The NJCCIC advises users who have downloaded the trojanized applications to immediately disable processes and delete all associated files, move remaining funds to a new crypto-wallet and change associated passwords. Additionally, consider reporting victimization to your local police department, the FBI’s Internet Crime Complaint Center, and the Federal Trade Commission (FTC) . For technical analysis and IOCs, please review Intezer’s blog post.