https://arstechnica.com/information-technology/2021/01/cryptocurrency-stealer-for-windows-macos-and-linux-went-undetected-for-a-year/ Skip to main content * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums Subscribe [ ] Close Navigate * Store * Subscribe * Videos * Features * Reviews * RSS Feeds * Mobile Site * About Ars * Staff Directory * Contact Us * Advertise with Ars * Reprints Filter by topic * Biz & IT * Tech * Science * Policy * Cars * Gaming & Culture * Store * Forums Settings Front page layout Grid List Site theme Black on white White on black Sign in Comment activity Sign up or login to join the discussions! [ ] [ ] [Submit] [ ] Stay logged in | Having trouble? Sign up to comment and more Sign up BEWARE OF PICKPOCKETS -- Cryptocurrency stealer for Windows, macOS, and Linux went undetected for a year ElectroRAT was written from scratch and was likely installed by thousands. Dan Goodin - Jan 5, 2021 3:00 pm UTC A pile of coins with the bitcoin logo sits atop a laptop keyboard. Enlarge George / Getty Images reader comments 65 with 45 posters participating Share this story * Share on Facebook * Share on Twitter * Share on Reddit Soaring cryptocurrency valuations have broken record after record over the past few years, turning people with once-modest holdings into overnight millionaires. One determined ring of criminals has tried to join the party using a wide-ranging operation that for the past 12 months has used a full-fledged marketing campaign to push custom-made malware written from scratch for Windows, macOS, and Linux devices. The operation, which has been active since at least January 2020, has spared no effort in stealing the wallet addresses of unwitting cryptocurrency holders, according to a report published by security firm Intezer. The scheme includes three separate trojanized apps, each of which runs on Windows, macOS, and Linux. It also relies on a network of fake companies, websites, and social media profiles to win the confidence of potential victims. Uncommonly stealthy The apps pose as benign software that's useful to cryptocurrency holders. Hidden inside is a remote access trojan that was written from scratch. Once an app is installed, ElectroRAT--as Intezer has dubbed the backdoor--then allows the crooks behind the operation to log keystrokes, take screenshots, upload, download, and install files, and execute commands on infected machines. In a testament to their stealth, the fake cryptocurrency apps went undetected by all major antivirus products. "It is very uncommon to see a RAT written from scratch and used to steal personal information of cryptocurrency users," researchers wrote in the Intezer report. "It is even more rare to see such a wide-ranging and targeted campaign that includes various components such as fake apps and websites, and marketing/promotional efforts via relevant forums and social media." Advertisement The three apps that were used to infect targets were called " Jamm, " " eTrade," and " DaoPoker. " The first two apps claimed to be a cryptocurrency trading platform. The third was a poker app that allowed bets with cryptocurrency. The crooks used fake promotional campaigns on cryptocurrency-related forums such as bitcointalk and SteemCoinPan. The promotions, which were published by fake social media users, led to one of three websites, one for each of the available trojanized apps. ElectroRAT is written in the Go programming language. The image below summarizes the operation and the various pieces it used to target cryptocurrency users: [electrorat-overview-640x507] Enlarge Intezer Tracking Execmac ElectroRAT uses Pastebin pages published by a user named "Execmac" to locate its command-and-control server. The user's profile page shows that since January 2020 the pages have received more than 6,700 page views. Intezer believes that the number of hits roughly corresponds to the number of people infected. The security firm said that Execmac in the past has had ties to the Windows trojans Amadey and KPOT, which are available for purchase in underground forums. "A reason behind this [change] could be to target multiple operating systems," Intezer's post speculated. "Another motivating factor is this is an unknown Golang malware, which has allowed the campaign to fly under the radar for a year by evading all Antivirus detections." The best way to know if you've been infected is to look for the installation of any of the three apps mentioned earlier. The Intezer post also provides links that Windows and Linux users can use to detect ElectroRAT running in memory. People who have been infected should disinfect their systems, change all passwords, and move funds to a new wallet. Promoted Comments * Jeff S Ars Praefectus et Subscriptor jump to post conan77 wrote: So remind me why pastebin is a legitimate site? The burden of proof for any claim is on the claimant. Doubly so when making a claim of illegitimacy/illegality. If you are claiming pastebin is NOT a legitimate site, then please offer your argument to prove the claim. Otherwise, the rest of us will just go on with our lives ignoring you, because that is the proper response to someone demanding others prove 'innocence' of any given site or person. 5007 posts | registered 6/4/2008 reader comments 65 with 45 posters participating Share this story * Share on Facebook * Share on Twitter * Share on Reddit Dan Goodin Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications. Email dan.goodin@arstechnica.com // Twitter @dangoodin001 Advertisement You must login or create an account to comment. Channel Ars Technica - Previous story Next story - Related Stories Sponsored Stories Powered by Today on Ars * Store * Subscribe * About Us * RSS Feeds * View Mobile Site * Contact Us * Staff * Advertise with us * Reprints Newsletter Signup Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox. Sign me up - CNMN Collection WIRED Media Group (c) 2021 Conde Nast. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1 /20) and Ars Technica Addendum (effective 8/21/2018). Ars may earn compensation on sales from links on this site. Read our affiliate link policy. Your California Privacy Rights | Do Not Sell My Personal Information The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Conde Nast. Ad Choices