Stealthy cross-platform malware could dispossess you of your crypto holdings
Fake crypto apps were used to infect users' systems with custom malware
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
As Bitcoin and other cryptocurrencies have once again reached record highs, a group of cybercriminals has been working for the past 12 months on a marketing campaign that uses custommalwareto steal the contents of users’crypto wallets.
The operation was discovered byIntezer Labsand it has been active since January of last year.
The custom malware for Windows, macOS and Linux devices is distributed through three separate trojanized apps and the cybercriminals responsible also used a network of fake companies, websites and social media profiles to dupe unsuspecting users.
The apps used in the operation include “Jamm”, “eTrade” and “DaoPoker. While the first two apps claimed to be cryptocurrency trading platforms, the third was a poker app that allowed users to make bets using cryptocurrency.
ElectroRAT
Once a user installs one of the apps in question on their devices, a remote access trojan (RAT) which Intezer has dubbed ElectroRAT serves as backdoor that allows the cybercriminals to log users' keystrokes, take screenshots, upload, download and install files on their systems as well as execute commands. To the cybercriminals credit, all three apps went undetected byantivirus software.
Security researcher Avigayil Mechtinger at Intezer provided further insight on the operation and the custom malware used by the cybercriminals behind it in anew report, saying:
“It is very uncommon to see a RAT written from scratch and used to steal personal information from cryptocurrency users. It is even more rare to see such a wide-ranging and targeted campaign that includes various components such as fake apps/websites and marketing/promotional efforts via relevant forums and social media.”
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
In order to locate its command and control server, ElectroRAT usesPastebinpages published by a user who goes by the handle “Execmac”. Based onExecmac’s profile, these pages have received more than 6,700 views since the operation began in January of last year and Intezer believes that these page views correspond to the number of people infected by ElectroRAT.
If you have any of the three fake apps installed on your systems, it is highly recommended that you remove them immediately and you can use Intezer’sAnalyzetool to look for any traces of ElectroRAT running in memory on Windows or Linux.
ViaArs Technica
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
A new form of macOS malware is being used by devious North Korean hackers
Scammers are using fake copyright infringement claims to hack businesses
Belkin’s Travel Bag for Vision Pro has pockets and is way cheaper than Apple’s own case
