ElectroRAT Steals from Crypto-Wallets

With Bitcoin peaking at 40,000 dollars, this is not the time for owners to have unsecured wallets. ElecrtoRAT is a malware cryptocurrency miners and users need to watch out for. It is part of a scheme that uses malware to distribute cryptocurrency Trojans that has been active since January of 2020, according to cybersecurity firm Intezer.

ElectroRAT, much like another malware recently discovered by the firm (the Golang Worm), is made with Google’s Golang and the cross-platform app framework Electron. ElectroRAT has a wide range because it also targets multiple operating systems including Windows, Linux, and macOS. According to researchers at Intezer, ElectroRAT is able to evade antivirus engines through the use of Golang.

Attackers use ElectroRAT masked as cryptocurrency trading apps and even a poker game that uses cryptocurrency. These apps (Jamm, eTrade, DaoPoker) all have Mac, Windows and Linux versions. The apps are made to appear genuine because they’re even promoted via Twitter, Telegram, bitcointalk and SteamCoinPan. The apps have a valid working interface, but behind the scenes are capable of taking screenshots, copying keystrokes, file uploads and downloads, and command execution.

Unfortunately, these covert activities aren’t detected by most antivirus engines, so those who mine and use cryptocurrencies are urged to stop using the services mentioned and to look for a background process called ‘mdworker’. Other services may be involved so it would be prudent to look for the offending process and kill it immediately. Users are also urged to delete all files related to the malware, change to more secure passwords and even move funds to a new wallet, best using an unaffected computer.

And because ElectroRAT apps are actively promoted and masked as valid apps, this campaign has already claimed about 6,500 cryptocurrency users which amounts to millions worth of conventional currency. Additional care and security is therefore encouraged for current and future crypto users.