Cryptocurrency stealer for Windows, macOS, and Linux went undetected for a year

A pile of coins with the bitcoin logo sits atop a laptop keyboard.

Soaring cryptocurrency valuations have broken record after record over the past few years, turning people with once-modest holdings into overnight millionaires. One determined ring of criminals has tried to join the party using a wide-ranging operation that for the past 12 months has used a full-fledged marketing campaign to push custom-made malware written from scratch for Windows, macOS, and Linux devices.

The operation, which has been active since at least January 2020, has spared no effort in stealing the wallet addresses of unwitting cryptocurrency holders, according to a report published by security firm Intezer. The scheme includes three separate trojanized apps, each of which runs on Windows, macOS, and Linux. It also relies on a network of fake companies, websites, and social media profiles to win the confidence of potential victims.

Uncommonly stealthy

The apps pose as benign software that’s useful to cryptocurrency holders. Hidden inside is a remote access trojan that was written from scratch. Once an app is installed, ElectroRAT—as Intezer has dubbed the backdoor—then allows the crooks behind the operation to log keystrokes, take screenshots, upload, download, and install files, and execute commands on infected machines. In a testament to their stealth, the fake cryptocurrency apps went undetected by all major antivirus products.

“It is very uncommon to see a RAT written from scratch and used to steal personal information of cryptocurrency users,” researchers wrote in the Intezer report. “It is even more rare to see such a wide-ranging and targeted campaign that includes various components such as fake apps and websites, and marketing/promotional efforts via relevant forums and social media.”

The three apps that were used to infect targets were called “​Jamm,​” “​eTrade,”​ and “​DaoPoker.​” The first two apps claimed to be a cryptocurrency trading platform. The third was a poker app that allowed bets with cryptocurrency.

The crooks used fake promotional campaigns on cryptocurrency-related forums such as bitcointalk and SteemCoinPan. The promotions, which were published by fake social media users, led to one of three websites, one for each of the available trojanized apps. ElectroRAT is written in the Go programming language.

The image below summarizes the operation and the various pieces it used to target cryptocurrency users:

Tracking Execmac

ElectroRAT uses Pastebin pages published by a user named “Execmac” to locate its command-and-control server. The user’s profile page shows that since January 2020 the pages have received more than 6,700 page views. Intezer believes that the number of hits roughly corresponds to the number of people infected.

The security firm said that Execmac in the past has had ties to the Windows trojans Amadey and KPOT, which are available for purchase in underground forums.

“A reason behind this [change] could be to target multiple operating systems,” Intezer’s post speculated. “Another motivating factor is this is an unknown Golang malware, which has allowed the campaign to fly under the radar for a year by evading all Antivirus detections.”

The best way to know if you’ve been infected is to look for the installation of any of the three apps mentioned earlier. The Intezer post also provides links that Windows and Linux users can use to detect ElectroRAT running in memory. People who have been infected should disinfect their systems, change all passwords, and move funds to a new wallet.