As Golang-based malware are multi-platform malware with enhanced capabilities, They are rising in popularity among malware authors. Recently, a cybercriminal has been observed targeting cryptocurrency users with a full-fledged marketing campaign, custom cryptocurrency-related applications, and a new Golang-written ElectroRAT.

A new trojan in town

According to Intezer Labs, the operation has been spreading the ElectroRAT malware since as early as January 2020.
  • The hackers relied on three cryptocurrency-related applications named Jamm, eTrade/Kintum, and DaoPoker for their scheme. The apps were embedded with ElectroRAT malware.
  • Moreover, the fake applications Jamm, eTrade, and DaoPoker were hosted on dedicated websites at jamm[.]to, kintum[.]io, and daopker[.]com, respectively. The apps came in versions for Windows, Mac, and Linux, and were built on top of the Electron framework.
  • The attackers lured cryptocurrency users to download trojanized applications by promoting them on cryptocurrency and blockchain-related forums, such as bitcointalk and SteemCoinPan, as well as on social media networks.

Recent Golang-based malware attacks

  • Recently, a Golang worm was observed attempting to spread across multi-platform networks, including Shopify, BigCommerce, Zencart, and Woocommerce, to drop and run XMRig miner on a large scale.
  • In November, the Blackrota backdoor was found attempting to exploit an unauthorized-access vulnerability in the Docker Remote API.

Wrapping up

The compilation of ElectroRAT malware via trojanized macOS, Windows, and Linux-based cryptocurrency applications makes it extremely intrusive. The use of various components with Golang written malware would attract more cybercriminals to develop Golang-based malware.

Cyware Publisher