Thousands of cryptocurrency users have reportedly been the victim of crypto apps that were advertised as legitimate, but secretly contained malware that infiltrated users’ computers and stole information, including cryptocurrency wallet keys.
Security firm Intezer Labs discovered and extensively detailed the exploit, which it has dubbed ElectroRAT, in a report issued today. The malware was first discovered in December, although data from a pastebin used by the exploit suggests that it has been in the wild since at least January 8, 2020.
The following is a technical analysis->@IntezerLabs
— Avigayil Mechtinger (@AbbyMCH) January 5, 2021
The sophisticated campaign involved a trio of cryptocurrency apps developed for Windows, macOS, and Linux called Jamm, eTrade (or Kintum), and DaoPoker. Intezer describes the exploit as “extremely intrusive,” capable of keylogging, downloading and executing files, uploading files, and taking screenshots without a user’s knowledge.
In its report, Intezer shows how the software applications were promoted and distributed via cryptocurrency forums and Twitter. All told, based on the number of unique users to the exploit’s pastebin, the firm believes that at least 6,500 users were impacted by the malware.
The fake software was created using app-building platform Electron and coded from scratch in the Go language, rather than using pre-built, off-the-shelf malware code. According to Intezer Labs, using Go likely made it easier for the creators to rapidly develop versions for multiple platforms, while ZDNet notes that the complexity of the language makes analyzing and detecting malware more difficult.
“Writing the malware from scratch has also allowed the campaign to fly under the radar for almost a year by evading all antivirus detections,” Intezer Labs writes.
If you have used any of the fraudulent apps mentioned above, Intezer has a breakdown of how to detect the processes and clear your system using its software. The firm also suggests moving crypto assets to a different wallet and changing all of your passwords.