Three applications based on crypto currencies have hidden an unpleasant surprise for those who have downloaded them.

Cyber security researchers have discovered malware that has been circulating for a year, targeting users of crypto currencies by creating a series of fake applications.

The security company Intezer Labs warned that the increase in the price of crypto currencies has created increased activity among hackers and malicious actors seeking financial gain. Malware has spread over the last year, but was only discovered in December 2020.

The new remote access trojan (RAT), dubbed ElectroRAT, has been used to empty the crypto coin purses of thousands of Windows, MacOS and Linux users, the report added.

Three cryptomone-related applications used in the attack: Jamm, eTrade/Kintum, and DaoPoker, were all introduced on their own websites. The first two are fake crypto trading applications while the third is based on gambling.

The ElectroRAT malware hidden within these applications is extremely intrusive according to researchers;

„It has several capabilities such as keylogging, taking screenshots, uploading files from disk, downloading files, and executing commands on the victim’s console.“

After being launched on the victim’s computer, the applications display a foreground user interface designed to divert attention from malicious processes in the background. The applications were promoted using the social media platforms Twitter and Telegram, in addition to cryptomone-based forums, such as Bitcoin Fast Profit.

Intezer Labs estimated that it has already infected „thousands of victims“ who have had their wallets emptied of crypto-currency. He added that there was evidence that some of the victims who were compromised by the applications were using popular crypto coin purses such as MetaMask.

The malware has been written in a multi-platform programming language called Golang, which makes it more difficult to detect. The security company stated that it was unusual to see an ARP designed to steal personal information from crypto-currency users that was written from scratch, adding;

„It is even rarer to see a campaign so broad and targeted that it includes several components such as fake applications and websites, and marketing/promotion efforts through relevant forums and social networks.“

There have been several cases in 2020 where bogus versions of legitimate applications and browser extensions such as MetaMask or Ledger have made their way onto victims‘ computers. This may be related to the massive data breach of Ledger in mid-December.

In September 2020, Coinbase users were among the victims of new Android-based malware spread through the Google Play Store.