Cryptocurrency stealer for Windows, macOS and Linux went undetected for a year | GeekComparison

A stack of coins with the bitcoin logo sits atop a laptop keyboard.

The rising valuations of cryptocurrencies have broken record after record in recent years, turning people with once modest interests into millionaires overnight. A determined band of criminals has tried to join the party using a broad operation that has spent the past 12 months using a full-blown marketing campaign to push custom malware written from scratch for Windows, macOS, and Linux. devices.

The operation, which has been in operation since January 2020, has spared no expense to steal the wallet addresses of unwitting cryptocurrency holders, according to a report published by security firm Intezer. The scheme includes three separate Trojan apps, each running on Windows, macOS, and Linux. It also relies on a network of fake companies, websites and social media profiles to gain the trust of potential victims.

Sometimes inconspicuous

The apps masquerade as benign software that is useful to cryptocurrency holders. Hidden inside is a remote access trojan written from scratch. Once an app is installed, ElectroRAT, as Intezer has called the backdoor, allows the crooks behind the operation to log keystrokes, take screenshots, upload files, download and install them, and execute commands on infected machines. As proof of their stealth, the fake cryptocurrency apps went undetected by all major antivirus products.

“It is highly unusual for a RAT to be written from scratch and used to steal personal information from cryptocurrency users,” researchers wrote in the Intezer report. “It’s even rarer to see such a broad and targeted campaign that includes various components, such as fake apps and websites, and marketing/promotional efforts through relevant forums and social media.”

The three apps used to infect targets were dubbed “​Jamm”, “eTrade” and “DaoPoker”. The first two apps claimed to be a cryptocurrency trading platform. The third was a poker app that enabled cryptocurrency betting.

The crooks used fake promotion campaigns on cryptocurrency-related forums such as bitcointalk and SteemCoinPan. The promotions, which were published by fake social media users, led to one of three websites, one for each of the available trojanized apps. ElectroRAT is written in the Go programming language.

The image below summarizes the operation and the various parts it used to target cryptocurrency users:


Follow Execmac

ElectroRAT uses Pastebin pages published by a user named “Execmac” to find its command-and-control server. The user’s profile page shows that the pages have received more than 6,700 page views as of January 2020. According to Intezer, the number of hits roughly corresponds to the number of infected people.

The security company said Execmac has historical links with Windows Trojans Amadey and KPOT, which are for sale on underground forums.

“A reason behind this [change] might be to target multiple operating systems,” Intezer’s post speculated. “Another motivating factor is that this is an unknown Golang malware, which allowed the campaign to stay under the radar for a year by dodging all antivirus detections.”

The best way to know if you are infected is to look for the installation of one of the three apps mentioned earlier. The Intezer post also provides links that Windows and Linux users can use to detect ElectroRAT in memory. People who are infected have to disinfect their systems, change all passwords and move money to a new wallet.

Leave a Comment