Already with thousands of victims.
With Bitcoin on the rise and a market exceeding billions of dollars, cryptocurrency has attracted threat actors wishing to leverage these capitals for their own financial gain.
In December, we discovered a wide-ranging operation targeting cryptocurrency users, estimated to have initiated in January 2020. This extensive operation is composed of a full-fledged marketing campaign, custom cryptocurrency-related applications and a new Remote Access Tool (RAT) written from scratch.
The campaign includes: Domain registrations, websites, trojanized applications, fake social media accounts and a new undetected remote access trojan that we have named ElectroRAT. ElectroRAT is written in Golang and compiled to target multiple operating systems: Windows, Linux and MacOS.
It is rather common to see various information stealers trying to collect private keys to access victims’ wallets. However, it is rare to see tools written from scratch and used to target multiple operating systems for these purposes.
The attacker behind this operation has lured cryptocurrency users to download trojanized applications by promoting them in dedicated online forums and on social media. We estimate this campaign has already infected thousands of victims—based on the number of unique visitors to the pastebin pages used to locate the command and control servers.
The attacker has created three different trojanized applications, each with a Windows, Linux and Mac version. The binaries are hosted on websites built specifically for this campaign.
These applications are directly related to cryptocurrency. “Jamm” and “eTrade” are cryptocurrency trade management applications and “DaoPoker” is a cryptocurrency poker app. Figures 1 and 2 are the homepages of the “Jamm” and “eTrade” websites. Figure 3 shows what the “eTrade” application looks like once it runs on an Ubuntu desktop.
Figure 1: “Kintum” homepage which hosts eTrade’s Windows, Linux and MacOS trojans
Figure 2: “Jamm” homepage which hosts Jamm’s Windows, Linux and MacOS trojans
Figure 3: eTrade (Kintum) application on Ubuntu desktop
These applications were promoted in cryptocurrency and blockchain-related forums such as bitcointalk and SteemCoinPan. The promotional posts, published by fake users, tempted readers to browse the applications’ web pages, where they could download the application without knowing they were actually installing malware. Figures 4 and 5 are examples of the promotions posted in these forums.
Figure 4: The user “anri.rixardinh” posting in a Chinese Hive forum in PeakD promoting “eTrade” application
Figure 5: “Jamm” application promoted in bitcointalk forum
The attacker went the extra mile to create Twitter and Telegram personas for the “DaoPoker” application, in addition to paying a social media influencer for advertisement. Figure 6 shows the DaoPoker Twitter page. Figure 7 shows eTrade promoted by a social media advertiser with over 25K followers on Twitter.
Figure 6: DaoPoker’s Twitter page
Figure 7: eTrade (Kintum) promoted via a social media advertiser on Twitter
Victims of the Operation
As part of its behavioral flow, ElectroRAT contacts raw pastebin pages to retrieve the C&C IP address. The pastebin pages are published by the same user called “Execmac”. Browsing the user’s page, we have more visibility into the number of victims subject to this campaign. In Figure 8, we can see that the amount of unique visitors to the user’s pastes is approximately 6.5K [at the time of this writing]. We can also see the first pastebin pages were posted on January 8 2020, which indicates the operation has been active for at least a year.
Figure 8: https[:]//pastebin[.]com/u/execmac pastebin page
We also saw evidence of victims who were compromised by these applications commenting on posts related to MetaMask. See Figures 9 and 10.
Figure 9: A user commenting on a MetaMask Tweet
Figure 10: A user alerting on DaoPoker
Opening a Can of Stealers
The above-mentioned pastebin page reveals more insights. Other pastes published by the same user contain C&Cs directly tied to Amadey and KPOT. These malware are stealers mainly purchased on the Dark Web as off-the-shelf malware. ElectroRAT shares similar functionalities to these well-known trojans, however, it’s written from scratch in Golang. We assume a reason for this is to target multiple operating systems, since Golang is incredibly efficient for multi-platform use. Writing the malware from scratch has also allowed the campaign to fly under the radar for almost a year by evading all Antivirus detections.
Jamm, DaoPoker and eTrade were built using Electron, an app building platform. ElectroRAT is embedded inside each application. Once a victim runs the application, an innocent GUI will open, while ElectroRat runs hidden in the background as “mdworker”. Figure 3 above shows eTrade app GUI upon runtime on an infected Ubuntu desktop machine. Figure 11 shows what the infection looks like behind the scenes using Intezer’s Cloud Workload Protection Platform, Intezer Protect.
Figure 11: ElectroRAT alert in Intezer Protect
The trojanized application and the ElectroRAT binaries are either low detected or completely undetected in VirusTotal at the time of this writing. Figure 12 shows the signed DaoPoker application’s detection rate in VirusTotal.
Figure 12: DaoPoker application in VirusTotal (2c35bfabc6f441a90c8cc584e834eb59)
ElectroRAT is extremely intrusive. It has various capabilities such as keylogging, taking screenshots, uploading files from disk, downloading files and executing commands on the victim’s console. The malware has similar capabilities for its Windows, Linux and MacOS variants.
For more technical information, browse the following Tweet:
[1/7] Operation #ElectroRAT is a new campaign that takes sizable measures to steal crypto wallets. For more information about the operation – https://t.co/CWLnOevKir
The following is a technical analysis->@IntezerLabs
— Avigayil Mechtinger (@AbbyMCH) January 5, 2021
Detection & Response
Detect if a Machine in Your Network Has Been Compromised
You can quickly detect if your machine, or a machine in your network, has been compromised by malware using Intezer Protect and Intezer Analyze Endpoint Scanner:
Linux threats are on the rise. Use Intezer Protect to gain full runtime visibility over the code in your Linux-based systems and get alerted on any malicious or unauthorized code. We have a free community edition.
Figure 10 above emphasizes an Intezer Protect alert on a compromised machine. The alert provides you with full context about the malicious code including threat classification, binary’s path on the disk, process tree, command and hash.
Running Intezer’s Endpoint Scanner will provide you with visibility into the type and origin of all binary code that resides in your machine’s memory. Figure 13 shows an example of an endpoint infected with ElectroRAT.
Figure 13: Endpoint infected with ElectroRAT
If you were, or suspect that you are a victim of this scam, take the following steps:
- Kill the process and delete all files related to the malware.
- Make sure your machine is clean and running 100% trusted code using Intezer’s tools mentioned above.
- Move your funds to a new wallet.
- Change all of your passwords.
You can also run this YARA rule against in-memory artifacts to detect ElectroRAT.
It is very uncommon to see a RAT written from scratch and used to steal personal information from cryptocurrency users. It is even more rare to see such a wide-ranging and targeted campaign that includes various components such as fake apps/websites and marketing/promotional efforts via relevant forums and social media.
ElectroRAT is the latest example of attackers using Golang to develop multi-platform malware. We touched upon this trend in the Top Linux Cloud Threats of 2020.
ElectroRAT’s PE and ELF versions are indexed in Intezer Analyze so that you can quickly classify any samples that are genetically similar.