Operation ElectroRAT Attacked Blockchain Businesses

Blockchain-based currencies may be cryptographically secure by design, but that does not mean users are immune from cyber criminals’ schemes. Just this month, cybersecurity software firm Intezer uncovered an elaborate campaign by an attacker (or attackers) to steal cryptocurrency users’ private keys to their digital wallets in an attack they dubbed “Operation ElectroRAT.”

Like many cyber attackers, the creators of ElectroRAT used a Trojan program to trick individuals into downloading malware that enabled remote access to their devices. A Trojan is a piece of software that performs desired actions for the user, while also performing harmful actions without the user’s knowledge. This stealthy behavior allows a Trojan to operate for extended periods of time, persisting and escalating privileges and access as the attack proceeds. And the “RAT” in ElectroRAT stands for Remote Access Trojan. Once remote access was enabled, the attacker was able to log keystrokes, take screenshots, upload files from disks, download files and execute commands on the victim’s console. That kind of access could, theoretically, compromise a user’s private key.

Cybersecurity professionals will rightly observe all this is par-for-the-course, when it comes to trojans. But make no mistake: Operation ElectroRAT was no run-of-the-mill malware attack. It was far more sophisticated. First off, the ElectroRAT attacker went to the trouble of building three unique applications to carry their malware, two of which claimed to be cryptocurrency trading platforms; the other posed as poker app that allowed users to bet with cryptocurrencies. Unusually, each trojanized app had a Windows, Linux and Mac version. The RAT itself was written in a computer programming language called Go (also referred to as Golang). Intezer points out the attacker(s) probably selected Golang for the ease with which Go-based programs can be ported to different platforms.

All these features of ElectroRAT are interesting from an academic point of view. But it was the social engineering aspect of Operation ElectroRAT that makes it so noteworthy — and worrying. The ElectroRAT attacker narrowly targeted members of the cryptocurrency community by promoting the apps on cryptocurrency forums. They even paid a social media influencer to tweet about their (fake) crypto trading platform. These aspects, as well as the relatively fully conceived nature of the harmful apps themselves, likely contributed to a veneer of legitimacy that in turn tricked users into downloading the apps.

Operation ElectroRAT may have been active since January 2020, meaning it probably went undetected for nearly a year. Intezer estimates there are likely more than 6,000 victims of Operation ElectroRAT. This is the key point: Antivirus software would not have helped in this situation. While ElectroRAT for its part seems to have mainly targeted individuals, the attacker’s success highlights the increasingly sophisticated nature of threats to businesses that provide cryptocurrency exchanges, wallets, brokerages, investing and other services face in today’s cybersecurity climate.

With more than $5 billion invested in cryptocurrency funds last year, cyber criminals are increasingly training their weapons on this fast-growing ecosystem. With so much at stake, it is essential that businesses in the crypto space understand and repair any gaps in their security apparatus.

That is why businesses turn to BPM. Our Information Security Assessment Services team provides comprehensive penetration testing services that work to identify vulnerabilities in your IT infrastructure, allowing you to make well-educated decisions on where to best allocate your resources. To learn more about how BPM can help your blockchain-based business confront the latest cybersecurity threats, contact David Trepp, partner and Information Security Assessment Services group leader, today.

Related Insights