ElectroRAT: Attacker Creates Fake Companies to Drain Crypto Wallets

Operation ElectroRAT: Attacker Creates Fake Companies to Drain Your Crypto Wallets

Written by Avigayil Mechtinger

    Share article
    FacebookTwitterLinkedInRedditCopy Link

    Top Blogs

    Already with thousands of victims.


    With Bitcoin on the rise and a market exceeding billions of dollars, cryptocurrency has attracted threat actors wishing to leverage these capitals for their own financial gain.

    In December, we discovered a wide-ranging operation targeting cryptocurrency users, estimated to have initiated in January 2020. This extensive operation is composed of a full-fledged marketing campaign, custom cryptocurrency-related applications and a new Remote Access Tool (RAT) written from scratch.

    The campaign includes: Domain registrations, websites, trojanized applications, fake social media accounts and a new undetected remote access trojan that we have named ElectroRAT. ElectroRAT is written in Golang and compiled to target multiple operating systems: Windows, Linux and MacOS.

    It is rather common to see various information stealers trying to collect private keys to access victims’ wallets. However, it is rare to see tools written from scratch and used to target multiple operating systems for these purposes.

    The attacker behind this operation has lured cryptocurrency users to download trojanized applications by promoting them in dedicated online forums and on social media. We estimate this campaign has already infected thousands of victims—based on the number of unique visitors to the pastebin pages used to locate the command and control servers.

    BlogFostGIF 01

    The Operation

    The attacker has created three different trojanized applications, each with a Windows, Linux and Mac version. The binaries are hosted on websites built specifically for this campaign.

    These applications are directly related to cryptocurrency. “Jamm” and “eTrade” are cryptocurrency trade management applications and “DaoPoker” is a cryptocurrency poker app. Figures 1 and 2 are the homepages of the “Jamm” and “eTrade” websites. Figure 3 shows what the “eTrade” application looks like once it runs on an Ubuntu desktop.

    pasted image 0 5
    Figure 1: “Kintum” homepage which hosts eTrade’s Windows, Linux and MacOS trojans

    pasted image 0
    Figure 2: “Jamm” homepage which hosts Jamm’s Windows, Linux and MacOS trojans

    pasted image 0 11
    Figure 3: eTrade (Kintum) application on Ubuntu desktop

    These applications were promoted in cryptocurrency and blockchain-related forums such as bitcointalk and SteemCoinPan. The promotional posts, published by fake users, tempted readers to browse the applications’ web pages, where they could download the application without knowing they were actually installing malware. Figures 4 and 5 are examples of the promotions posted in these forums.

    pasted image 0 2
    Figure 4: The user “anri.rixardinh” posting in a Chinese Hive forum in PeakD promoting “eTrade” application

    pasted image 0 1
    Figure 5: “Jamm” application promoted in bitcointalk forum

    The attacker went the extra mile to create Twitter and Telegram personas for the “DaoPoker” application, in addition to paying a social media influencer for advertisement. Figure 6 shows the DaoPoker Twitter page. Figure 7 shows eTrade promoted by a social media advertiser with over 25K followers on Twitter.

    pasted image 0 7
    Figure 6: DaoPoker’s Twitter page

    pasted image 0 3

    Figure 7: eTrade (Kintum) promoted via a social media advertiser on Twitter

    Victims of the Operation

    As part of its behavioral flow, ElectroRAT contacts raw pastebin pages to retrieve the C&C IP address. The pastebin pages are published by the same user called “Execmac”. Browsing the user’s page, we have more visibility into the number of victims subject to this campaign. In Figure 8, we can see that the amount of unique visitors to the user’s pastes is approximately 6.5K [at the time of this writing]. We can also see the first pastebin pages were posted on January 8 2020, which indicates the operation has been active for at least a year.

    pasted image 0 12
    Figure 8: https[:]//pastebin[.]com/u/execmac pastebin page

    We also saw evidence of victims who were compromised by these applications commenting on posts related to MetaMask. See Figures 9 and 10.

    pasted image 0 6
    Figure 9: A user commenting on a MetaMask Tweet

    pasted image 0 10
    Figure 10: A user alerting on DaoPoker

    Opening a Can of Stealers

    The above-mentioned pastebin page reveals more insights. Other pastes published by the same user contain C&Cs directly tied to Amadey and KPOT. These malware are stealers mainly purchased on the Dark Web as off-the-shelf malware. ElectroRAT shares similar functionalities to these well-known trojans, however, it’s written from scratch in Golang. We assume a reason for this is to target multiple operating systems, since Golang is incredibly efficient for multi-platform use. Writing the malware from scratch has also allowed the campaign to fly under the radar for almost a year by evading all Antivirus detections.

    Technical Analysis

    Jamm, DaoPoker and eTrade were built using Electron, an app building platform. ElectroRAT is embedded inside each application. Once a victim runs the application, an innocent GUI will open, while ElectroRat runs hidden in the background as “mdworker”. Figure 3 above shows eTrade app GUI upon runtime on an infected Ubuntu desktop machine. Figure 11 shows what the infection looks like behind the scenes using Intezer’s Cloud Workload Protection Platform, Intezer Protect.

    pasted image 0 13
    Figure 11: ElectroRAT alert in Intezer Protect

    The trojanized application and the ElectroRAT binaries are either low detected or completely undetected in VirusTotal at the time of this writing. Figure 12 shows the signed DaoPoker application’s detection rate in VirusTotal.

    pasted image 0 9
    Figure 12: DaoPoker application in VirusTotal (2c35bfabc6f441a90c8cc584e834eb59)

    ElectroRAT is extremely intrusive. It has various capabilities such as keylogging, taking screenshots, uploading files from disk, downloading files and executing commands on the victim’s console. The malware has similar capabilities for its Windows, Linux and MacOS variants.

    For more technical information, browse the following Tweet:

    Detection & Response

    Detect if a Machine in Your Network Has Been Compromised

    You can quickly detect if your machine, or a machine in your network, has been compromised by malware using Intezer Protect and Intezer Analyze Endpoint Scanner:

    Linux Machines

    Linux threats are on the rise. Use Intezer Protect to gain full runtime visibility over the code in your Linux-based systems and get alerted on any malicious or unauthorized code. We have a free community edition.

    Figure 10 above emphasizes an Intezer Protect alert on a compromised machine. The alert provides you with full context about the malicious code including threat classification, binary’s path on the disk, process tree, command and hash.

    Windows Machines

    Running Intezer’s Endpoint Scanner will provide you with visibility into the type and origin of all binary code that resides in your machine’s memory. Figure 13 shows an example of an endpoint infected with ElectroRAT.

    pasted image 0 8
    Figure 13: Endpoint infected with ElectroRAT


    If you were, or suspect that you are a victim of this scam, take the following steps:

    1. Kill the process and delete all files related to the malware.
    2. Make sure your machine is clean and running 100% trusted code using Intezer’s tools mentioned above.
    3. Move your funds to a new wallet.
    4. Change all of your passwords.

    You can also run this YARA rule against in-memory artifacts to detect ElectroRAT.


    It is very uncommon to see a RAT written from scratch and used to steal personal information from cryptocurrency users. It is even more rare to see such a wide-ranging and targeted campaign that includes various components such as fake apps/websites and marketing/promotional efforts via relevant forums and social media.

    ElectroRAT is the latest example of attackers using Golang to develop multi-platform malware. We touched upon this trend in the Top Linux Cloud Threats of 2020.

    ElectroRAT’s PE and ELF versions are indexed in Intezer Analyze so that you can quickly classify any samples that are genetically similar.

    pasted image 0 4











    KPOT Stealer




    Avigayil Mechtinger

    Avigayil is a product manager at Intezer, leading Intezer Analyze product lifecycle. Prior to this role, Avigayil was part of Intezer's research team and specialized in malware analysis and threat hunting. During her time at Intezer, she has uncovered and documented different malware targeting both Linux and Windows platforms.

    New: Connect Microsoft Defender with Intezer's Autonomous SOC solutionNew: Connect Microsoft Defender with Intezer's Autonomous SOC solution Learn more
    Generic filters
    Exact matches only
    Search in title
    Search in content
    Search in excerpt