According to cybersecurity researchers at Intezer, the malware dubbed ElectroRAT is part of a wide-ranging scam targeting cryptocurrency users which started as early as January 2020 with trojanized applications distributed to install previously undetected RAT on target systems.
The malware campaign is believed to have claimed about 6,500 victims based on number of unique visitors to the Pastebin page used to locate the C&C (command and control) servers.
How ElectroRAT Malware targets Crytocurrency users?
The campaign dubbed "Operation ElectroRAT" involved attackers who created three different rogue applications, with each having a Linux, Windows, and Mac version; two of the apps pose as cryptocurrency trading and management applications and goes by the name of "Jamm" and "eTrade," while the third app is called "DaoPoker" which poses as a cryptocurrency poker platform.
And on installation, the app opens a harmless-looking UI, but in reality, the ElectroRAT is what runs hidden in the background as "mdworker," with intrusive capabilities that aim to capture keystrokes, screenshots, and upload files from disk, downloading of arbitrary files, and execution of malicious commands received from the C&C server on victim's machine.
The ElectroRAT attacker named "Execmac" who posted on Pastebin Pages as early as January 8, 2020 was discovered to have used same C2 servers commonly employed by Windows malware like Amadey and KPOT, suggesting the attackers may have pivoted from well-known trojans to new RAT capable of targeting multiple operating systems.
How to mitigate against the ElectroRAT Malware
It is rare to find such a wide-ranging and targeted campaign with various components such as fake apps and promotional efforts via popular forums and social media as ElectroRAT Malware.
Nonetheless, web users are urged to kill the malware spread process, by deleting all files related to the malware, and moving funds to new wallet with changed passwords.