Cyber security researchers working at Intezer have published a report in which they describe a cyber attack that went unnoticed for more than a year. Dated 5 January, the documents indicate that it was a large-scale operation based on a major campaign to promote malicious services.
In fact, the malefactors promoted applications that they were promoting through many other websites. They also sought to demonstrate the reliability of these services through fake profiles on social networks (including Twitter, but also Telegram) and fake companies. Opinions were also shared on many forums dedicated to cryptomoney. All this network has contributed to make known the three applications developed for this purpose: Jamm, eTrade and DaoPoker. These were intended for Windows as well as Linux and MacOS.
A piece of malware written from scratch
On the surface, the applications looked innocent, but they all hid a Trojan horse operating remotely. The particularity of the Trojan is that it was written from scratch by cybercriminals. Usually, these criminals rely on already existing malicious tools, which was not the case in this operation. Thus, the criminals were able to download and install other files, but also to record keystrokes, take screenshots or execute commands. All this was done remotely and without being detected by the basic antivirus software on the targeted devices.
Simply put, it is this system called ElectroRAT that has allowed criminals to steal the victims’ encryptions. Thousands of users are believed to be affected by this operation, which has been going on for more than a year.
Intezer says that users whose computers have been infected after installing one of the affected applications must disinfect the system before changing their passwords and transferring their funds to a new wallet.