Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry

The ElectroRAT Trojan attacker's success highlights the increasingly sophisticated nature of threats to cryptocurrency exchanges, wallets, brokerages, investing, and other services.

David Trepp, Partner in the IT Assurance Practice at BPM

July 9, 2021

4 Min Read
Cathy Keifer via Adobe Stock

Blockchain-backed cryptocurrencies are considered to be secure. Blockchains are designed to be decentralized using a global network of computers called nodes, and hacking into and changing the blockchain would require tremendous computing power. Not only would someone need to defeat the blockchain's encryption, but they would also need to change a majority of the nodes simultaneously.

But while the blockchain itself is secure, that does not mean digital currency holders are immune from cybercriminals and nefarious plots. Earlier this year, cybersecurity firm Intezer discovered an elaborate and sophisticated campaign designed to steal crypto users' private keys to their digital wallets. They dubbed this scheme "Operation ElectroRAT."

Like many cyberattacks, ElectroRAT used a Trojan program to trick individuals into downloading malware that compromised computer systems. Trojans are programs that appear and act like legitimate software but perform harmful actions without the user's knowledge. The surreptitious behavior allows the Trojan to operate over time, slowly gaining higher privileges as the attack proceeds.

The "RAT" in ElectroRAT stands for "remote access Trojan." Once an attacker enables remote access, they can log keystrokes, take screenshots, upload files from the victim's hard drive, execute commands on the computer, and more. Cybercriminals could theoretically compromise the private key to a user's digital wallet with this access.

Not Your Everyday Cyberattack
As most cybersecurity professionals will attest, this type of Trojan attack is not out of the ordinary. But there are a few things that make the ElectroRAT scheme more than just a run-of-the-mill cyberattack. Like the recent SolarWinds breach, the ElectroRAT Trojan was a long con, far more sophisticated and coordinated than a drive-by ransomware attack.

The criminals went through the trouble of building three unique applications to carry their malware, two of which claimed to be cryptocurrency trading platforms; the other posed as a poker app that allowed users to place bets using crypto tokens. The thieves also built three malware versions for the Windows, Linux, and macOS operating systems. This is striking because malware usually targets Windows-based computers. The RAT was written in a computer programming language called Go (also referred to as "Golang"). Intezer points out that the attacker(s) probably selected Golang for its ease of use in porting the programs to different platforms.

These features are interesting to cybersecurity professionals from an academic perspective. But what sets ElectroRAT apart from similar theft attempts was the criminals' use of social engineering combined with the Trojan. The attackers focused on members of the crypto community by promoting the apps on cryptocurrency forums. They even paid a social media influencer to tweet about their (fake) crypto trading platform and put in time to create realistic and professional-looking Web pages. All of this, plus the app's fully conceived nature, likely gave the malware a veneer of legitimacy that duped users into downloading it.

Operation ElectroRAT may have been active since January 2020, meaning it probably went undetected for nearly a year. Intezer estimates there are likely more than 6,000 victims of this malware. One key point: Since ElectroRAT was written from scratch, it would not be picked up by traditional signature-based antivirus software. While this malware targeted individuals, the attacker's success highlights the increasingly sophisticated nature of threats to businesses that provide cryptocurrency exchanges, wallets, brokerages, investing, and other services in today's cybersecurity climate.

How to Hack a Blockchain
As mentioned, blockchain security is robust, making a successful attack on it either impossible or extremely difficult. That is why cybercriminals target the endpoints that connect to the blockchain. These endpoints (such as brokerages, exchanges, and wallets) fall into three broad categories — technical, human, and physical — of attacks and can be used alone in combination.

ElectroRAT is a classic example of a technical attack combined with a sophisticated social engineering campaign.

Human attacks use social engineering to convince victims to give fraudsters personal information or access to systems. One social engineering scam is as simple and low-tech as calling a crypto exchange and imitating an employee to ask for technical information. Or attackers may pretend to be users and reset passwords or phone numbers, locking out legitimate owners and stealing everything. They can also employ phishing attacks, where a legitimate-looking email dupes a brokerage employee or user into downloading malware.

Physical attacks are rare, but they do happen. These are when someone breaks into a home or office to steal things like a cryptocurrency cold storage or offline wallet, authentication codes, or passwords or to upload malware directly to a server.

How to Stop Blockchain Attacks
The best defense against these nefarious schemes comes through knowledge. First, organizations need to educate employees on social engineering tactics, phishing schemes, and how to challenge people in restricted areas. Next, it is essential to conduct periodic tests to determine where lapses still occur and provide more training.

With more than $5 billion invested in cryptocurrency funds last year, cybercriminals are increasingly aiming their weapons at this fast-growing ecosystem. With so much at stake, businesses in the crypto space must understand and repair any gaps in their security apparatus.

About the Author

David Trepp

Partner in the IT Assurance Practice at BPM

David Trepp is a Partner in the IT Assurance Practice at BPM, one of the largest public accounting and advisory firms in the country. The firm's Information Security Assessments Group Leader, David has more than 30 years of technology and entrepreneurship experience and has led thousands of information security penetration test engagements for satisfied customers across all major industries throughout the United States and abroad.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights