Cyber security researchers have uncovered a year-long malware operation targeting cryptocurrency users creating a number of fake apps.
Security firm Intezer Labs warned that the ever-soaring crypto prices have led to increased activity among hackers and malicious actors looking for financial gain. The malware was spread over the past year but was not discovered until December 2020.
The new remote access (RAT) trojan, called ElectroRAT, has been used to empty the cryptocurrency wallets of thousands of Windows, macOS and Linux users, the report added.
Three cryptocurrency-related apps used in the attack – Jamm, eTrade / Kintum and DaoPoker – were all hosted on their own websites. The first two are fake crypto trading apps, while the third is based on gambling.
The ElectroRAT malware hidden in these apps is extremely intrusive, according to the researchers;
“It has several capabilities such as keylogging, taking screenshots, uploading files from disk, downloading files and executing commands on the victim’s console.”
Once launched on a victim’s computer, the apps display a foreground user interface designed to divert attention from the malicious background processes. The apps were promoted using social media platforms Twitter and Telegram, in addition to cryptocurrency-based forums such as Bitcointalk.
Intezer Labs estimated that the campaign has already infected “thousands of victims” whose crypto wallets have been emptied. It added that there was evidence that some of the victims compromised by the apps were using popular crypto wallets such as MetaMask.
The malware is written in a multi-platform programming language called Golang, which makes it more difficult to detect. The security company stated that it was unusual to see a RAT designed for this purpose steal personal information of cryptocurrency users who have been written from scratch;
“It is even rarer to see such a broad and targeted campaign that includes different components such as fake apps and websites, and marketing / promotion efforts through relevant forums and social media.”
There have been a number of instances in 2020 where fake versions of legitimate apps and browser extensions such as MetaMask or General ledger have found their way into the computers of the victims. This may be related to the massive Ledger data breach in mid-December.
In September 2020, Coinbase users were among the victims of new ones Android-based malware distributed through Google Play Store.