ElectroRAT Malware that Stole Crypto Went Undetected for Over a Year
Image Source: Unsplash

Bitcoin has continued its unprecedented bull run going into the new year. Signs of bullish momentum were seen in October 2020 when the price broke past a two-year resistance. As of January 8, 2021, the price of one BTC is around $40,000.

However, as the crypto market has been undergoing an unprecedented rally throughout 2020 and continuing in 2021, a group of hackers has been secretly stealing crypto from users. The group created a new type of malware called ElectroRAT, which has gone undetected for the past 12 months.

About The ElectroRAT Malware

ElectroRAT was uncovered in December 2020 by researchers at Intezer Labs. According to a report they published, the malware began spreading around January 2020. The hackers used three crypto-related apps to steal crypto from unsuspecting users.

They named the three fake apps eTrade/Kintum, Jamm, and DaoPoker. The first two apps were promoted as simple platforms where users could trade crypto. They promoted the third app as a crypto-related poker app.

All three apps came in versions compatible with Mac, Windows, and Linux devices. The hackers built the apps from the ground app using the Electron app-building framework. All the apps were written using the Go programming language. The hackers installed stealthy malware in the app, which allowed them to steal crypto from the users.

How The Malware Worked

The apps came with Trojan malware that was written from the ground app. Once a user installed the app, the ElectroRAT Malware would allow the hackers to receive screenshots, keystrokes, install files, make uploads and downloads, and execute commands. By building the apps from scratch, the hackers were able to avoid all major antivirus software.

In their report, the researchers noted that it was rare to find RAT written from scratch and used to target crypto holders. They added that it was rarer to see such a far-reaching and targeted campaign that included various aspects such as sites, fake apps, and promotional efforts on social media and other forums.

The hackers promoted their apps via campaigns on crypto-related forums such as SteemCoinPan and Bitcointalk. They used fake social media accounts in their promotions, which would direct users to one of three websites related to each of the apps.

How To Tell If You Are Infected

The report estimates that around 65,000 users were infected by the malware. To tell if you have been infected, you should check your system for any of the apps. In the report published by Intezer, they have provided links that users of Linux and Windows can use to detect if the malware is running on their systems.

Anyone who finds the malware on their system should immediately move their funds to a new wallet and change their login details such as passwords and emails. They should also immediately disinfect their system. In the report, it was not stated whether the hackers had managed to steal any funds for users.

Notice: Information contained herein is not and should not be construed as an offer, solicitation, or recommendation to buy or sell securities. The information has been obtained from sources we believe to be reliable; however no guarantee is made or implied with respect to its accuracy, timeliness, or completeness. Authors may own the crypto currency they discuss. The information and content are subject to change without notice. Visionary Financial and its affiliates do not provide investment, tax, legal or accounting advice.

This material has been prepared for informational purposes only and is the opinion of the author, and is not intended to provide, and should not be relied on for, investment, tax, legal, accounting advice. You should consult your own investment, tax, legal and accounting advisors before engaging in any transaction. All content published by Visionary Financial is not an endorsement whatsoever. Visionary Financial was not compensated to submit this article Please also visit our Privacy policy; disclaimer; and terms and conditions page for further information.