Three crypt coin applications hid an unpleasant surprise for those who downloaded them.
3 applications stole cryptomaches undetected for a year, alerts researchersNOTICS
Cyber security researchers discovered a one-year malware operation that targets encrypted users by creating a series of fake applications.
Security company Intezer Labs warned that the rising prices of cryptomyces have increased activity among hackers and malicious agents seeking financial gain. Malware was widespread last year, but was not discovered until December 2020.
The new remote access trojan (RAT), dubbed ElectroRAT, was used to empty the cryptomach wallets of thousands of Windows, MacOS and Linux users, the report added.
Three cryptomach-related applications were deployed in the attack – Jamm, eTrade/Kintum and DaoPoker – all hosted on their own websites. The first two are fake crypto trading applications, while the third is based on gambling.
The ElectroRAT malware hidden inside these applications is extremely intrusive according to researchers;
„It has several features, such as capturing keystrokes, capturing screenshots, uploading files from the disk, downloading files, and executing commands on the victim’s console.
After being started on the victim’s computer, the applications show a foreground user interface designed to divert attention away from malicious processes in the background. The applications have been promoted using Twitter and Telegram social media platforms, as well as forums focused on crypto, such as Bitcointalk.
Intezer Labs estimated that the campaign has already infected „thousands of victims“ who have had their cryptomorphic wallets emptied. He added that there was evidence that some victims who were compromised by the applications were using popular wallets, such as MetaMask.
The malware was written in a multi-platform programming language called Golang, which makes it more difficult to detect. The security company said it was unusual to see a RAT designed to steal personal information from cryptomorphic users that was written from scratch, adding;
„It is rare to see a campaign so broad and targeted that it includes multiple components, such as fake applications and websites, and marketing/promotion efforts through relevant forums and social media.
There were a number of cases in 2020 where fake versions of legitimate applications and browser extensions, such as MetaMask or Ledger, reached victims‘ computers. This may be related to the massive data breach of Ledger in mid-December.
In September 2020, Coinbase users were among the victims of a new Android malware spread by Google Play Store.