Security firm Intezer Labs has announced the discovery of a covert year-long malware operation carried by cybercriminals. It involved creating fake cryptocurrency apps to trick users into installing a new strain of malware on their systems, with the end goal of stealing victims' funds.
This sophisticated campaign by cybercriminals was discovered last month in December 2020, but researchers said they believe the group began spreading their malware as early as January 8, 2020.
Cybercriminals created the fake apps named eTrade/Kintum, Jamm, and DaoPoker, and were hosted on dedicated websites at kintum[.]io, jamm[.]to and daopker[.]com, respectively.
These Apps came in versions for Windows, Mac, and Linux, and were built on top of Electron, an app-building framework.
Intezer researchers also discovered a new malware strain that was hidden inside the app, which the company's researchers named ElectroRAT.
Researchers found ElectroRAT as extremely intrusive in a report shared with ZDNet. "The capabilities are keystroke logging, taking screenshots, downloading files, uploading files from disk, and executing commands on the victim's console making it more dangerous”. They said.
As per Intezer researchers, the malware was being used for collecting cryptocurrency wallet keys and then attack victims' accounts.
Intezer says the hackers posted ads for the three apps and their websites on niche cryptocurrency forums, or they used social media accounts to spread the trojanized applications.
Because of a loophole in the malware's design, which retrieved the address of its command and control server from a Pastebin URL, Intezer believes this operation infected around 6,500 users —according to the total number of times the Pastebin URLs were accessed.
Cryptocurrency users who lost funds over the past year without identifying the source of their breach should check to see whether they have downloaded and installed any of the three apps mentioned in this article.
Intezer Labs also pointed out that ElectroRAT was written in Go, a programming language that is becoming more popular with malware authors over the past year.
The reasons for Go's rising popularity among malware authors that detection and analysis of Go malware are usually more complicated than malware written in C, C++, or C#, and that Go allows operators to easily compile binaries for different platforms easier than other languages, allowing to create multi-platform malware easier than before.