Attending InfoSec?

Rock Down to ElectroRAT Avenue


Identified as targeting cryptocurrency users through nefarious cross-platform applications, a remote access trojan (RAT) dubbed ‘ElectroRAT’ has recently been in the headlines following an investigation into the threat by researchers at Intezer.

Believed active since at least January 2020, although only discovered in December 2020, those behind this RAT campaign have been observed as creating fake cryptocurrency gambling and trading applications that have been pushed through various forum and social media posts in an attempt to lure victims into installing the malicious payload.

Given the obvious cryptocurrency links, the financially-motivated final objective appears to be the theft of cryptocurrency wallets although functionality present within the RAT could facilitate the deployment of additional threats.


Ultimately delivered as a fake application, those behind this campaign have attempted to make their lures convincing through the creation of legitimate-looking websites (Figure 1) and domains.

Rock Down to ElectroRAT Avenue_1 Figure 1 – ‘Jamm’ fake application lure website
Rock Down to ElectroRAT Avenue_2 Figure 2 – ‘Jamm’ cross-platform download options

In order to drive victims to these websites, the threat actors behind this campaign created a variety of personas on cryptocurrency forums and social media groups in order to post messages (Figure 3 & 4) encouraging others to visit their lure websites and download the malicious applications.

Rock Down to ElectroRAT Avenue_3

Figure 3 – Simple ‘One-line’ cryptocurrency forum post

Rock Down to ElectroRAT Avenue_4

Figure 4 – Larger cryptocurrency forum post


In addition to domains identified by Intezer, two additional suspicious domains consistent with the cryptocurrency theme can be identified through passive DNS (pDNS) records associated with the IP addresses 213[.]226[.]100[.]140 and 213[.]226[.]100[.]143. Based on these IP addresses resolving to the lure domains identified by Intezer, two additional suspicious domains consistent with the cryptocurrency theme were identified through passive DNS (pDNS) records as resolving to 213[.]226[.]100[.]140 and 213[.]226[.]100[.]143:

  • cryptopro[.]trade
  • tradecryptoblog[.]info

Notably these IP addresses have also been observed as command and control (C2) servers.

Of the two additional domains, cryptopro[.]trade appears to have been active during July 2020 and, based on cached search results, was associated with the malicious application ‘Jamm’ (Figure 5).

Rock Down to ElectroRAT Avenue_5

Figure 5 – cryptopro[.]trade association with ‘Jamm’



Likely in an attempt to increase the potential victim pool, these fake applications have been created in ‘Electron’, a cross-platform framework that supports web technologies such as HTML and JavaScript, and as such are able to target users of Apple macOS, Microsoft Windows and Linux.

Having lured the victim into downloading and installing (Figure 6) the initial cryptocurrency-related application, ElectroRAT is executed in the background whilst a decoy user interface is displayed. Notably, and to support cross-platform targets, the RAT was created anew using the opensource programming language ‘Go’ (sometimes referred to as ‘Golang’ based on the official domain) and includes common functionality including the ability to log keystrokes, capture screenshots, execute commands and download or upload files.

Rock Down to ElectroRAT Avenue_6

Figure 6 – Fake eTrader application installation process


In the case of the fake ‘eTrader’ application, the victim is then prompted to create an account and enter a passcode (Figure 7), steps that appear somewhat benign and combine to make the application appear legitimate.

Rock Down to ElectroRAT Avenue_7

Figure 7 – Fake eTrader application account creation process


Whilst the victim is distracted, the ElectroRAT payload is dropped and executed by launching the appropriate operating system shell in a detached process with the window hidden as can be seen by unpacking the fake application to reveal the Electron JavaScript file electron.js (Figure 8).

Rock Down to ElectroRAT Avenue_8

Figure 8 – Fake application spawning ElectroRAT

Notably, further analysis of the Electron assets identify mentions (Figure 9) of a seemingly legitimate cryptocurrency trading application ‘Kattana’ and may suggest that this fake application is derived from the Kattana Electron package, available for macOS and Windows, especially given similarities in the user interface (Figure 10).

Rock Down to ElectroRAT Avenue_9

Figure 9 – Example ‘Kattana’ code mention discovered within the fake application
Rock Down to ElectroRAT Avenue-10
Figure 10 – Kattana website including application screenshot


Maintaining support for these cross-platform targets, the remote access trojan (RAT) has been created using the opensource programming language ‘Go’ (sometimes referred to as ‘Golang’ based on the official domain) and, as is to be expected, contains common functionality including the ability to log keystrokes, capture screenshots, execute commands and download or upload files.

Continuing with the decoy element, the fake application seemingly uses real-world data to display convincing content (Figure 11) and seemingly mimics the Kattana application including some interaction to dispel any suspicion.

Rock Down to ElectroRAT Avenue_11

Figure 11 – Fake eTrader application ‘live’ decoy content

Somewhat appearing to be an attempt to gather credentials, or more specifically API keys and secrets, the ‘Performance Analysis’ tab of this fake application allows them to ‘connect’ their cryptocurrency exchange accounts (Figure 12).

Rock Down to ElectroRAT Avenue_12

Figure 12 – Fake eTrader application API key/secret page

Upon inspection of the code related to this prompt suggests that rather than exfiltrating the API credentials this functionality was cloned from Kattana and does not appear to function when tested. Regardless of this, the RAT element of this attack remains present in the background and does feature a keylogging capability which would presumably allow this data to be collected via other means.

Command & Control

Command and control (C2) activity commences with a HTTP POST beacon sent by the fake application, containing victim identifiers, being sent to a /user resource on host via TCP port 3000 and appears to utilize the same servers that host the fake application lure website.

Based on these observed communications, this initial beacon utilizes a default user-agent string of go-resty/1.12.0 (<>) and posts JSON content with the following fields:

  • Identifier GUID
  • Machine name
  • Operating System Version
  • Username
  • Operating System

Once received, the C2 server responds with an apparently empty JSON response (Figure 13).

Rock Down to ElectroRAT Avenue_13

Figure 13 – Initial beacon and C2 response


Whilst not confirmed, the beacon sent by the fake application may serve as a campaign tracker rather than being used to directly control the ElectroRAT payload.

Subsequently, ElectroRAT has been observed as obtaining its C2 IP addresses by requesting ‘raw’ text content from the legitimate text sharing website ‘Pastebin’ and posted by an account named ‘Execmac’. Reassuringly, at the time of writing, this account has been suspended and therefore the threat actor behind this campaign will need to update the configuration of the ElectroRAT payload and repackage this within fake applications in order to continue to infect new victims.


  • [ ] Users should be reminded to only install software from known trusted sources and conduct due diligence before acting on any ‘forum’ or ‘social media’ recommendation.
  • [ ] In order to protect accounts, and cryptocurrency wallets, credentials and secrets should only be submitted to verified legitimate sites and, wherever possible, multi-factor authentication should be implemented.
  • [ ] Users dealing with cryptocurrency should consider monitoring their systems for instances of the indicators of compromise provided, such as communications with known-bad hosts or using the identified user-agent string.

Indicators of Compromise

In addition to the indicators of compromise (IOC) published by Intezer, the following IOC have been observed.

Files (SHA256)


  • e5f9fc82501da0c24d85851150c91618416506e4c8c7876728d2af8d9848c5e5
  • b3bc325abf597e745db0d6aae178b85622527d9e3e619daab62b1b4918b639bc
  • 303acba187a409fdcc55731966ca38a7175e074ec2f272c9895b133f86b44537
  • 1438833028dab0f8ea713b2f53e9c81de1a39ff6c811e1fa20f478b802ff094d
  • a32ef780ba235f8222c05302f7537b4123c41b048449c6ec8744d64103d428a3
  • 4953c8b3ed37c786c6a085e7642984e3250c0d93f8f22f829a1a194b6ae4a64d
  • ba65505ffa1a92169c81e5a5994eeb23a2592425abebf78d1ec5179869412a54


  • 17b0b1a9271683f30e5bfd92eec9c0a917755f54060ef40d9bd0f12e927f540f

ElectroRAT Payload Execution

eTrader for Windows

  • C:\Windows\system32\cmd.exe /d /s /c ""%LOCALAPPDATA%\Programs\e-trader\Utils\mdworker.exe""

eTrader for macOS

  • /bin/sh -c /Volumes/eTrader 0.1.0/

Command & Control

IP Addresses

  • 213[.]226[.]100[.]140
  • 213[.]226[.]100[.]143


  • cryptopro[.]trade
  • tradecryptoblog[.]info

User-Agent String

  • go-resty/1.12.0 (<>)

Uncover your compromised credentials from the deep and dark web

Fill in your business email to start