“It is even more rare to see such a wide-ranging and targeted campaign that includes various components such as fake apps/websites and marketing/promotional efforts via relevant forums and social media.”

Once the applications are running, a graphical user interface (GUI) opens and ElectroRAT begins working in the background as “mdworker”. This is difficult to detect by antivirus software due to the way the binaries are written. 

The malware is extremely intrusive, however, and has various capabilities including keylogging, taking screenshots, uploading files from disk, downloading files and executing commands. These functions are roughly the same across all three Windows, Linux and macOS variants.

Machtinger added that the campaign reflects the growing prominence of the cryptocurrency market - led by the recent Bitcoin charge. The conventionally volatile cryptocurrency has been surging in recent months, with its value exploding lately to cross the $35,000 (roughly £25,000) threshold at the time of writing. As such, it’s attracted cyber criminals hoping to exploit this for financial gain.

The ElectroRAT campaign has already affected more than 6,500 users, based on the numbers of visitors to the pastebin pages used to locate the command and control servers. 

Intezer Labs has recommended that victims take measures to protect themselves immediately. This mitigation process includes killing the process, deleting all files relating to the malware, moving funds to a new wallet and changing all passwords.