Researchers warn 3 apps have been stealing crypto undetected for a year

Published at: Jan. 7, 2021

Cyber security researchers have discovered a year-long malware operation that has targeted cryptocurrency users with the creation of a number of fake apps.

Security firm Intezer Labs warned that ever increasing crypto prices have created heightened activity among hackers and malicious actors seeking financial gains. The malware has been disseminated over the past year, but was only discovered in December 2020.

The new remote access trojan (RAT), dubbed ElectroRAT, has been used to empty the cryptocurrency wallets of thousands of Windows, macOS, and Linux users, the report added.

Three cryptocurrency-related apps deployed in the attack — Jamm, eTrade/Kintum, and DaoPoker — were all hosted on their own websites. The first two are bogus crypto trading apps while the third is gambling based.

The ElectroRAT malware hidden inside these apps is extremely intrusive according to the researchers;

“It has various capabilities such as keylogging, taking screenshots, uploading files from disk, downloading files, and executing commands on the victim's console.”

After being launched on a victim's computer, the apps show a foreground user interface designed to divert attention from the malicious background processes. The apps were promoted using social media platforms Twitter and Telegram in addition to cryptocurrency based forums such as Bitcointalk.

Intezer Labs estimated that the campaign has already infected “thousands of victims” who have had their crypto wallets emptied. It added that there was evidence that some victims who were compromised by the apps were using popular crypto wallets.

The malware has been written in a multi-platform programming language called Golang which makes it harder to detect. The security firm stated that it was uncommon to see a RAT designed to steal personal information from cryptocurrency users that was written from scratch, adding;

“It is even rarer to see such a wide-ranging and targeted campaign that includes various components such as fake apps and websites, and marketing/promotional efforts via relevant forums and social media.”

There have been a number of cases in 2020 where fake versions of legitimate apps and browser extensions such as MetaMask or Ledger have made their way onto victims computers. This may be related to Ledger's massive data breach in mid-December.

In September 2020, Coinbase users were among the victims of new Android-based malware disseminated through Google Play Store.

Tags
Related Posts
California University Pays Million-Dollar Crypto Ransom
The University of California at San Francisco School of Medicine reportedly paid a $1.14 million ransom in cryptocurrencies to the hackers behind a ransomware attack on June 1. According to CBS San Francisco, the UCSF IT staff first detected the security incident, stating that the attack launched by NetWalker group affected “a limited number of servers in the School of Medicine.” Although the areas were isolated by experts from the internal network, the hackers left the servers inaccessible and managed to deploy the ransomware successfully. A statement published by the University of California said: “The data that was encrypted is …
Technology / June 30, 2020
Robotics Company Falls Prey to Ransomware Attack
Ransomware gang REvil, known for launching stolen data auctions on the dark web, is now leaking sensitive documents stolen from a US-based robotics company. According to an official blog post from REvil on June 11, the team has started leaking confidential data belonging to Symbotic LLC. The post noted: “You do not want to speak with us and you probably think that we will not publish your data. We are already publishing.” The cybercriminal group stated that they’d created a website and paid for the hosting for a year. They threatened to make the robotics company’s data visible for “a …
Technology / June 12, 2020
Devs at Blogging Platform Ghost Take Down Crypto-Mining Malware Attack
Developers at blogging platform Ghost have spent the past 24 hours fighting a crypto mining malware attack. Announced in a status update on May 3, the devs revealed that the attack occurred around 1:30 a.m. UTC. Within four hours, they had successfully implemented a fix and now continue to monitor the results. No sensitive user data compromised Yesterday’s incident was reportedly carried out when an attacker targeted Ghost’s “Salt” server backend infrastructure, using an authentication bypass (CVE-2020-11651) and directory traversal (CVE-2020-11652) to gain control of the master server. The Ghost devs have said that no user credit card information has …
Technology / May 4, 2020
Colorado Hospital Patient Information System Hit by Crypto Ransomware
Hackers have infected the infrastructure of Parkview Medical Center — the largest health center in Pueblo County, Colorado — with cryptocurrency ransomware. Citing a hospital employee, Fox News reported on April 24 that Meditech — the Parkview Medical Center’s system for storing patient information — was infected with ransomware and rendered inoperable. The hospital confirmed the incident in a statement: “On Tuesday, April 21, Parkview Medical Center was the target of a cyber-incident which has resulted in an outage in a number of our IT systems.” As Cointelegraph recently reported, ransomware attacks against hospitals are ongoing, despite the fall in …
Technology / April 29, 2020
Cryptojacking Almost 5 Times More Prevalent in India Than Global Average
Cryptojackers are hitting pay dirt in India, according to Microsoft's newly released Security Endpoint Threat Report 2019. The report states that web users in India encounter crypto mining malware attacks at a rate 4.6 times higher than the regional and global average. India experiences the second-largest number of cryptocurrency mining attacks in the Asia Pacific region, lagging only behind Sri Lanka. A cryptocurrency mining attack, commonly called cryptojacking, is an attack where hackers secretly install cryptocurrency mining malware on someone else's computer to use its computing power to mine cryptocurrencies. Attackers’ sentiments are pegged to crypto prices Cryptojacking practices saw …
Technology / July 29, 2020