Fake cryptocurrency trade management tools spread ElectroRAT trojan

ElectroRAT trojan hidden within software empties cryptocurrency wallets

Due to a hidden trojan in fake software, cryptocurrency users have their crypto-wallets emptied

According to the researchers' report, in December of 2020, they discovered^[1] a remote access trojan,^[2] or RAT for short, that has been spread to steal cryptocurrency. The threat was distributed camouflaged as Electron applications for cryptocurrency trade management (eTrade and Jamm) and as a cryptocurrency poker app (DaoPoker).

These apps were highly advertised on various social media platforms and specific online forums, specializing in cryptocurrencies. Thousands of victims were tricked into downloading this software, and consequently, their devices were infected with a cross-platform trojan.

When either of those applications made for Windows, Linux, and macOS was launched, the ElectroRAT trojan would execute its processes in the background. The RAT is capable of taking screenshots, downloading files, executing commands, uploading data, keylogging, etc. When enough information gets collected, all cryptocurrency funds can be drained from the victim accounts.

Cryptocurrency is becoming more and more popular because digital wallets and currencies are more valued than paper money. It seems that in some countries, money applications, paying via your credit card or even with cryptocurrency, is more valued than regular cash. It makes cryptocurrency only more attractive for scammers and criminals too.

Fake companies created to advertise the multi-platform trojan

Creators of ElectroRAT cryptocurrency stealing trojan took a big step when it comes to malware delivery. Fake companies with official, detailed, legit-looking webpages were created to promote their malicious software. Three applications were created, and each one got its own portal.

Each website received the name of the fake software to trick people into downloading it. Out of the three company sites that were created – jamm[.]to, daopoker[.]com, kintum[.]io, only the latter is still operational. Make sure never to download the fake cryptocurrency trading and managing tool and inform anyone who trades Bitcoins, Bitcoin Cash, Etherium, or other cryptocurrencies to be aware of such scams.

Also, fake user accounts were created on crypto-forums to promote these accounts, and moreover, social media influencers were paid to do it.^[3] The discoverers of the ElectroRAT trojan were astounded by how much work was put in to deliver this malware to thousands of crypto-traders and said:

It is even more rare to see such a wide-ranging and targeted campaign that includes various components such as fake apps and websites, and marketing/promotional efforts via relevant forums and social media.

The newly created trojan was used since January of 2020

Most trojans are detectable by professional anti-malware software, so the threat actors opted out of the method to use existing code and created ElectroRat from scratch. Reports indicate that this malware was created using the Golang programming language as it is extremely intrusive and hardly detectable. As the lab that discovered the threat stated:

The trojanized application and the ElectroRAT binaries are either low detected or completely undetected in VirusTotal at the time of this writing. <…> It is very uncommon to see a RAT written from scratch and used to steal personal information of cryptocurrency users.

These fake apps were created using Electron open-source framework^[4] that made them available and operational on all platforms – macOS, Windows, and even Linux. Researchers believe that the spreading campaign for the cryptocurrency draining trojan was initiated as early as the 8th of January 2020 and that over 6,500 people got affected by it during the time.^[5]

People who lost cryptocurrency from their wallets and have no clue what happened are urged to remove ElectroRAT trojan from their devices by completely removing Jamm, DaoPoker, or eTrade trojanized apps from their devices and killing all related processes. If you have any of these apps, but your wallet is untouched, then do the same, and afterward, transfer all funds to a new wallet, change all passwords to be safe.