ElectroRAT Remote Access Trojan
ElectroRAT is a highly intrusive remote access trojan targeting cryptocurrency traders and gamblers, Written in Go, it is able to compromise Windows, macOS, and Linux environments.
Summary
ElectroRAT is a highly intrusive remote access trojan targeting cryptocurrency traders and gamblers, Written in Go, it is able to compromise Windows, macOS, and Linux environments.
Affected platforms
The following platforms are known to be affected:
Threat details
Introduction
First observed in January 2020, ElectroRAT is a Go-based cross-platform remote access trojan specifically targeting cryptocurrency applications and their users.
Delivery
ElectroRAT is distributed in compromised versions of several Electron-based (hence it's name) cryptocurrency trading and betting applications. These applications are then hosted on attacker-controlled copies of legitimate cryptocurrency sites, links to which are then posted to a variety of cryptocurrency- and blockchain-related forums. Users then download and install the trojanised applications.
Activities
Once installed, ElectroRAT contacts a number of Pastebin pages to retrieve a list of command and control servers, before connecting to one of them and awaiting further commands.
By default, ElectroRAT is able to:
- log keystrokes
- record screen audio and video
- download, execute, and transfer files
- execute commands
Remediation advice
To prevent and detect an infection, NHS Digital advises that:
- Secure configurations are applied to all devices.
- Security updates are applied at the earliest opportunity.
- Tamper protection settings in security products are enabled where available.
- Obsolete platforms are segregated from the rest of the network.
- IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
- Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
- Administrative accounts are only used for necessary purposes.
- Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
- Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.
Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.
Indicators of compromise
Last edited: 7 January 2021 2:46 pm