Researchers have found a new remote access trojan (RAT) written from scratch in Golang that lures cryptocurrency users to download trojanized apps on Windows, Mac and Linux machines by promoting the apps in dedicated online forums and on social media.
In a recent blog, Intezer estimated that the new RAT campaign has already infected thousands of victims based on the number of unique visitors to the pastebin pages used to locate the command and control servers.
The researchers say they first discovered the operation targeting cryptocurrency users in December 2020, but that the operation started in January 2020. The campaign includes domain registrations, websites, trojanized applications, fake social media accounts and the new undetected RAT, dubbed ElectroRAT.
“It’s rather common to see various information stealers trying to collect private keys to access victims’ wallets,” said the researchers. “However, it’s rare to see tools written from scratch and used to target multiple operating systems for these purposes.”
John Hammond, senior security researcher at Huntress, said Golang manages concurrency extremely well, and can compile to practically all modern operating systems – making it more effective and a much more powerful weapon for the hackers.
“We often poke fun at ‘script kiddies’ who will grab an offensive toolkit or framework off-the-shelf on the dark web, as that malware may very well be caught by commercial AV or security products,” Hammond said. “These low-tier hackers are certainly common, but there’s a rising number of more sophisticated attackers who can write their own custom tooling and tradecraft. If an attacker knows what they are doing and understands what they are up against, they will write their RAT from scratch.”
Krishnan Subramanian, a researcher at Menlo Security, added that it’s quite unusual to find new RATs written from scratch. Subramanian said malware authors usually prefer to reuse code because it saves time and the attackers can focus their efforts on coming up with mechanisms to evade detection.
“Cross-platform RATs are always more effective than platform-specific ones, since the attackers don’t have to rely on operating system specific dependencies to deploy/interact with the RAT functionality,” Subramanian said. “In the corporate environment, it’s quite common to see other operating systems like Linux/MacOS being used other than Windows, which exposes a larger number of potential infection candidates.”