As Golang-based malware are multi-platform malware with enhanced capabilities, They are rising in popularity among malware authors. Recently, a cybercriminal has been observed targeting cryptocurrency users with a full-fledged marketing campaign, custom cryptocurrency-related applications, and a new Golang-written ElectroRAT.
A new trojan in town
According to Intezer Labs, the operation has been spreading the ElectroRAT malware since as early as January 2020.
The hackers relied on three cryptocurrency-related applications named Jamm, eTrade/Kintum, and DaoPoker for their scheme. The apps were embedded with ElectroRAT malware.
Moreover, the fake applications Jamm, eTrade, and DaoPoker were hosted on dedicated websites at jamm[.]to, kintum[.]io, and daopker[.]com, respectively. The apps came in versions for Windows, Mac, and Linux, and were built on top of the Electron framework.
The attackers lured cryptocurrency users to download trojanized applications by promoting them on cryptocurrency and blockchain-related forums, such as bitcointalk and SteemCoinPan, as well as on social media networks.
Recent Golang-based malware attacks
Recently, a Golang worm was observed attempting to spread across multi-platform networks, including Shopify, BigCommerce, Zencart, and Woocommerce, to drop and run XMRig miner on a large scale.
In November, the Blackrota backdoor was found attempting to exploit an unauthorized-access vulnerability in the Docker Remote API.
The compilation of ElectroRAT malware via trojanized macOS, Windows, and Linux-based cryptocurrency applications makes it extremely intrusive. The use of various components with Golang written malware would attract more cybercriminals to develop Golang-based malware.