Summary
Intezer discovered a campaign targeting cryptocurrency users that they estimate began in early 2020. A new RAT associated with the campaign has been named ElectroRAT by Intezer. It is written in Golang and can run on Linux, MacOS, and Windows.
Threat Type
- Malware
Overview
A campaign that targets cryptocurrency users was discovered by Intezer in late 2020. Intezer estimates the campaign began around January 2020. Three Trojanized applications (DaoPoker, eTrade, and Jamm) built using the Electron framework are used in the campaign to deliver a RAT that has been named ElectroRAT by Intezer. The applications have been promoted through fake user accounts on social media and online forums that focus on cryptocurrency, and are hosted on websites created for the campaign. ElectroRAT uses raw Pastebin pages to determine its C&C address and Intezer estimates, from the number of pages views, that there may be several thousand victims. While ElectroRAT can log keystrokes, take screenshots, upload and download files, and execute commands, its primary goal is to obtain access to the victim’s crypto wallets. Further information is available from the link in the Reference section below.
Indicators of Compromise
- A complete list of IoCs can be found in the end of article
Recommendations
- Ensure anti-virus software and associated files are up to date.
- Search for existing signs of the indicated IoCs in your environment.
- Consider blocking and or setting up detection for all URL and IP based IoCs.
- Keep applications and operating systems running at the current released patch level.
- Exercise caution with attachments and links in emails.
Reference
¬{
"spec_version": "2.0",
"type": "bundle",
"objects": [
{
"id": "indicator--74915e15-b9ad-fdf9-e46f-53af0b7c1421",
"type": "indicator",
"created": "2021-01-06T04:57:27.355Z",
"modified": "2021-01-06T04:57:27.355Z",
"labels": [
"xfe-malware-risk-high"
],
"name": "File hash indicator for sha256 hash 2f83e130e52cb13944899e81f4ecf49decf52e3949f6d41b45e8b1a19a658ed6",
"description": "File hash indicator for sha256 hash 2f83e130e52cb13944899e81f4ecf49decf52e3949f6d41b45e8b1a19a658ed6",
"pattern": "[ file:hashes.'SHA-256' = '2f83e130e52cb13944899e81f4ecf49decf52e3949f6d41b45e8b1a19a658ed6' ]",
"valid_from": "2021-01-06T04:57:27.355Z"
},
{
"id": "indicator--b15e521a-c232-9010-37bf-b9a5d17cec26",
"type": "indicator",
"created": "2021-01-06T04:57:27.417Z",
"modified": "2021-01-06T04:57:27.417Z",
"labels": [
"xfe-malware-risk-high"
],
"name": "File hash indicator for sha256 hash 18fd6b193be1d5416a3188f5d9e4047cca719fa067d7d0169cf2df5c7fed54c0",
"description": "File hash indicator for sha256 hash 18fd6b193be1d5416a3188f5d9e4047cca719fa067d7d0169cf2df5c7fed54c0",
"pattern": "[ file:hashes.'SHA-256' = '18fd6b193be1d5416a3188f5d9e4047cca719fa067d7d0169cf2df5c7fed54c0' ]",
"valid_from": "2021-01-06T04:57:27.417Z"
},
{
"id": "indicator--186d65fe-be7b-9d10-8900-6e097f9db3b9",
"type": "indicator",
"created": "2021-01-06T04:57:27.343Z",
"modified": "2021-01-06T04:57:27.343Z",
"labels": [
"xfe-malware-risk-unknown"
],
"name": "File hash indicator for sha256 hash c1aaf691608f1f2a0517e2c57cc4c6ff4e46d3ae1b592e939a0bc9b89a3a04cf",
"description": "File hash indicator for sha256 hash c1aaf691608f1f2a0517e2c57cc4c6ff4e46d3ae1b592e939a0bc9b89a3a04cf",
"pattern": "[ file:hashes.'SHA-256' = 'c1aaf691608f1f2a0517e2c57cc4c6ff4e46d3ae1b592e939a0bc9b89a3a04cf' ]",
"valid_from": "2021-01-06T04:57:27.343Z"
},
{
"id": "indicator--5f232298-8d1c-65c2-58fb-0e44770d525d",
"type": "indicator",
"created": "2021-01-06T04:57:27.424Z",
"modified": "2021-01-06T04:57:27.424Z",
"labels": [
"xfe-malware-risk-high"
],
"name": "File hash indicator for sha256 hash dd1792bcdf560ebaa633f72de4037e78fe1ada5c8694b9d4879554aedc323ac9",
"description": "File hash indicator for sha256 hash dd1792bcdf560ebaa633f72de4037e78fe1ada5c8694b9d4879554aedc323ac9",
"pattern": "[ file:hashes.'SHA-256' = 'dd1792bcdf560ebaa633f72de4037e78fe1ada5c8694b9d4879554aedc323ac9' ]",
"valid_from": "2021-01-06T04:57:27.424Z"
},
{
"id": "indicator--51484692-1e26-710b-0100-98ad8043c561",
"type": "indicator",
"created": "2021-01-06T04:57:27.420Z",
"modified": "2021-01-06T04:57:27.420Z",
"labels": [
"xfe-malware-risk-high"
],
"name": "File hash indicator for sha256 hash 587a4463673093554cd75b5c9ccb6c254a9d6e8769b1e45ea0390eb2b9d57bff",
"description": "File hash indicator for sha256 hash 587a4463673093554cd75b5c9ccb6c254a9d6e8769b1e45ea0390eb2b9d57bff",
"pattern": "[ file:hashes.'SHA-256' = '587a4463673093554cd75b5c9ccb6c254a9d6e8769b1e45ea0390eb2b9d57bff' ]",
"valid_from": "2021-01-06T04:57:27.420Z"
},
{
"id": "indicator--1bac53c1-5e28-c894-5a1e-5673199c3678",
"type": "indicator",
"created": "2021-01-06T04:57:27.395Z",
"modified": "2021-01-06T04:57:27.395Z",
"labels": [
"xfe-malware-risk-high"
],
"name": "File hash indicator for sha256 hash 881be95a9632fa44deeeca23e4e19390d600ad817b2f66671d3f21453a16c7b7",
"description": "File hash indicator for sha256 hash 881be95a9632fa44deeeca23e4e19390d600ad817b2f66671d3f21453a16c7b7",
"pattern": "[ file:hashes.'SHA-256' = '881be95a9632fa44deeeca23e4e19390d600ad817b2f66671d3f21453a16c7b7' ]",
"valid_from": "2021-01-06T04:57:27.395Z"
},
{
"id": "indicator--5433a20a-05fe-28e3-d99e-32e28d2673d8",
"type": "indicator",
"created": "2021-01-06T04:57:27.372Z",
"modified": "2021-01-06T04:57:27.372Z",
"labels": [
"xfe-malware-risk-high"
],
"name": "File hash indicator for sha256 hash cf77727aa2cfcd3d6dd85cb492ddee28ff9191def60a9e00ea08ccddf817d143",
"description": "File hash indicator for sha256 hash cf77727aa2cfcd3d6dd85cb492ddee28ff9191def60a9e00ea08ccddf817d143",
"pattern": "[ file:hashes.'SHA-256' = 'cf77727aa2cfcd3d6dd85cb492ddee28ff9191def60a9e00ea08ccddf817d143' ]",
"valid_from": "2021-01-06T04:57:27.372Z"
},
{
"id": "indicator--f51ac62a-3ea9-e0c0-636d-a3931d3ad86f",
"type": "indicator",
"created": "2021-01-06T04:57:27.447Z",
"modified": "2021-01-06T04:57:27.447Z",
"labels": [
"xfe-malware-risk-low"
],
"name": "File hash indicator for sha256 hash e9b83d5cdefd4486b32a927d7505cdeebb43e6977759ba069d9373e46ca7d0f2",
"description": "File hash indicator for sha256 hash e9b83d5cdefd4486b32a927d7505cdeebb43e6977759ba069d9373e46ca7d0f2",
"pattern": "[ file:hashes.'SHA-256' = 'e9b83d5cdefd4486b32a927d7505cdeebb43e6977759ba069d9373e46ca7d0f2' ]",
"valid_from": "2021-01-06T04:57:27.447Z"
},
{
"id": "indicator--beb4e460-abd5-d0c0-c52f-1eff1e9c7219",
"type": "indicator",
"created": "2021-01-06T04:57:27.533Z",
"modified": "2021-01-06T04:57:27.533Z",
"labels": [
"xfe-malware-risk-high"
],
"name": "File hash indicator for sha256 hash 279524f17f8dd8753f57c2e3e91d21ad84db10316dfbf925cc19556cef55b99d",
"description": "File hash indicator for sha256 hash 279524f17f8dd8753f57c2e3e91d21ad84db10316dfbf925cc19556cef55b99d",
"pattern": "[ file:hashes.'SHA-256' = '279524f17f8dd8753f57c2e3e91d21ad84db10316dfbf925cc19556cef55b99d' ]",
"valid_from": "2021-01-06T04:57:27.533Z"
},
{
"id": "indicator--8db9fb5d-72ae-a6a2-6319-3838f783e253",
"type": "indicator",
"created": "2021-01-06T04:57:27.378Z",
"modified": "2021-01-06T04:57:27.378Z",
"labels": [
"xfe-malware-risk-low"
],
"name": "File hash indicator for sha256 hash a32ef780ba235f8222c05302f7537b4123c41b048449c6ec8744d64103d428a3",
"description": "File hash indicator for sha256 hash a32ef780ba235f8222c05302f7537b4123c41b048449c6ec8744d64103d428a3",
"pattern": "[ file:hashes.'SHA-256' = 'a32ef780ba235f8222c05302f7537b4123c41b048449c6ec8744d64103d428a3' ]",
"valid_from": "2021-01-06T04:57:27.378Z"
},
{
"id": "indicator--8e89291d-afba-9b4e-9d8f-f3fa37d88163",
"type": "indicator",
"created": "2021-01-06T04:57:27.428Z",
"modified": "2021-01-06T04:57:27.428Z",
"labels": [
"xfe-malware-risk-unknown"
],
"name": "File hash indicator for sha256 hash da7c4975d75ffe17d6ff1352e239c6841d4b1523f9ea43c8124d732c48dfabba",
"description": "File hash indicator for sha256 hash da7c4975d75ffe17d6ff1352e239c6841d4b1523f9ea43c8124d732c48dfabba",
"pattern": "[ file:hashes.'SHA-256' = 'da7c4975d75ffe17d6ff1352e239c6841d4b1523f9ea43c8124d732c48dfabba' ]",
"valid_from": "2021-01-06T04:57:27.428Z"
},
{
"id": "indicator--307ec1a8-3210-1a35-2f62-f26167e80d91",
"type": "indicator",
"created": "2021-01-06T04:57:27.507Z",
"modified": "2021-01-06T04:57:27.507Z",
"labels": [
"xfe-malware-risk-high"
],
"name": "File hash indicator for sha256 hash 568326883f9157fe8f1a7c681e2df341973a75205cf81d627040d101ce24f1bb",
"description": "File hash indicator for sha256 hash 568326883f9157fe8f1a7c681e2df341973a75205cf81d627040d101ce24f1bb",
"pattern": "[ file:hashes.'SHA-256' = '568326883f9157fe8f1a7c681e2df341973a75205cf81d627040d101ce24f1bb' ]",
"valid_from": "2021-01-06T04:57:27.507Z"
},
{
"id": "indicator--0fe76bb2-b2ec-4139-9368-3a1b86ee226d",
"type": "indicator",
"created": "2021-01-06T04:57:52.455Z",
"modified": "2021-01-06T04:57:52.455Z",
"labels": [
"benign",
"xfe-threat-score-2"
],
"name": "URL Report for pastebin.com/raw/U45SvK4K",
"description": "Category: Blogs / Bulletin Boards\n Description: This category contains newsgroups, bulletin boards, blogs and comments. Dating sites, Social Networking sites and Business Networking sites are not listed here but in their own categories.Category: Search Engines / Web Catalogs / Portals\n Description: This category contains search engines, Web catalogs and Web portals. Dating sites, Social Networking sites and Business Networking sites are not listed here but in their own categories.Category: Software / Hardware\n Description: This category includes Web sites from the area of software, computer hardware and other electronic components.",
"pattern": "[ url:value = 'pastebin.com/raw/U45SvK4K' ]",
"valid_from": "2021-01-06T04:57:52.455Z"
},
{
"id": "indicator--18575f0e-1bc5-3a0d-1958-e4c980e1fbcd",
"type": "indicator",
"created": "2021-01-06T04:57:27.394Z",
"modified": "2021-01-06T04:57:27.394Z",
"labels": [
"xfe-malware-risk-high"
],
"name": "File hash indicator for sha256 hash 41ad7a6b8c410738ea8e826e503ec9bdd222a490db097b643cd94bbd62a12276",
"description": "File hash indicator for sha256 hash 41ad7a6b8c410738ea8e826e503ec9bdd222a490db097b643cd94bbd62a12276",
"pattern": "[ file:hashes.'SHA-256' = '41ad7a6b8c410738ea8e826e503ec9bdd222a490db097b643cd94bbd62a12276' ]",
"valid_from": "2021-01-06T04:57:27.394Z"
},
{
"id": "indicator--723848e6-eff7-3e66-2504-72c6eb21c042",
"type": "indicator",
"created": "2021-01-06T04:57:27.506Z",
"modified": "2021-01-06T04:57:27.506Z",
"labels": [
"xfe-malware-risk-high"
],
"name": "File hash indicator for sha256 hash ddd15dcc89416a61001c10ed9002df854fb4d92089e5388264b8af02654c778e",
"description": "File hash indicator for sha256 hash ddd15dcc89416a61001c10ed9002df854fb4d92089e5388264b8af02654c778e",
"pattern": "[ file:hashes.'SHA-256' = 'ddd15dcc89416a61001c10ed9002df854fb4d92089e5388264b8af02654c778e' ]",
"valid_from": "2021-01-06T04:57:27.506Z"
},
{
"id": "indicator--71f4165d-292e-43ea-8aaa-bb36c3ce4432",
"type": "indicator",
"created": "2012-03-22T07:26:00.000Z",
"modified": "2020-09-09T06:54:00.000Z",
"labels": [
"benign",
"xfe-threat-score-1"
],
"name": "IP Report for IP address 193.38.55.4",
"description": "One of the five RIRs announced a (new) location mapping of the IP.",
"pattern": "[ ipv4-addr:value = '193.38.55.4' ]",
"valid_from": "2020-09-09T06:54:00.000Z"
},
{
"id": "indicator--50cfd959-7a60-4331-bce3-8f6d64170678",
"type": "indicator",
"created": "2021-01-06T04:57:52.018Z",
"modified": "2021-01-06T04:57:52.018Z",
"labels": [
"benign",
"xfe-threat-score-2"
],
"name": "URL Report for pastebin.com/raw/zrZA4L3e",
"description": "Category: Blogs / Bulletin Boards\n Description: This category contains newsgroups, bulletin boards, blogs and comments. Dating sites, Social Networking sites and Business Networking sites are not listed here but in their own categories.Category: Search Engines / Web Catalogs / Portals\n Description: This category contains search engines, Web catalogs and Web portals. Dating sites, Social Networking sites and Business Networking sites are not listed here but in their own categories.Category: Software / Hardware\n Description: This category includes Web sites from the area of software, computer hardware and other electronic components.",
"pattern": "[ url:value = 'pastebin.com/raw/zrZA4L3e' ]",
"valid_from": "2021-01-06T04:57:52.018Z"
},
{
"id": "indicator--a5d41e74-e71c-618d-6913-e0d08d328f86",
"type": "indicator",
"created": "2021-01-06T04:57:27.573Z",
"modified": "2021-01-06T04:57:27.573Z",
"labels": [
"xfe-malware-risk-unknown"
],
"name": "File hash indicator for sha256 hash 2ad12f75695ec4f63d7b35a79d118d7ed2eccc42f9cfa8fb75ec738f86f6ab99",
"description": "File hash indicator for sha256 hash 2ad12f75695ec4f63d7b35a79d118d7ed2eccc42f9cfa8fb75ec738f86f6ab99",
"pattern": "[ file:hashes.'SHA-256' = '2ad12f75695ec4f63d7b35a79d118d7ed2eccc42f9cfa8fb75ec738f86f6ab99' ]",
"valid_from": "2021-01-06T04:57:27.573Z"
},
{
"id": "indicator--689cf215-3402-6388-3e43-f592c795bd75",
"type": "indicator",
"created": "2021-01-06T04:57:27.585Z",
"modified": "2021-01-06T04:57:27.585Z",
"labels": [
"xfe-malware-risk-low"
],
"name": "File hash indicator for sha256 hash e547872761d81c3afc9c2a42cac3931e2a1defc2c56a0a3c57b28ea91e7686cd",
"description": "File hash indicator for sha256 hash e547872761d81c3afc9c2a42cac3931e2a1defc2c56a0a3c57b28ea91e7686cd",
"pattern": "[ file:hashes.'SHA-256' = 'e547872761d81c3afc9c2a42cac3931e2a1defc2c56a0a3c57b28ea91e7686cd' ]",
"valid_from": "2021-01-06T04:57:27.585Z"
},
{
"id": "indicator--f00de065-365b-4df7-aa14-0e29c1fc2d57",
"type": "indicator",
"created": "2021-01-06T04:57:27.098Z",
"modified": "2021-01-06T04:57:27.098Z",
"labels": [
"benign",
"xfe-threat-score-undefined"
],
"name": "URL Report for jamm.to",
"description": "",
"pattern": "[ url:value = 'jamm.to' ]",
"valid_from": "2021-01-06T04:57:27.098Z"
},
{
"id": "indicator--439c012a-cd2d-4844-db1e-33e0e8301057",
"type": "indicator",
"created": "2021-01-06T04:57:27.591Z",
"modified": "2021-01-06T04:57:27.591Z",
"labels": [
"xfe-malware-risk-high"
],
"name": "File hash indicator for sha256 hash a4a68a51ed0a6ecf9146f75d405e50cfc58473d20220915b489b5fece03c4f55",
"description": "File hash indicator for sha256 hash a4a68a51ed0a6ecf9146f75d405e50cfc58473d20220915b489b5fece03c4f55",
"pattern": "[ file:hashes.'SHA-256' = 'a4a68a51ed0a6ecf9146f75d405e50cfc58473d20220915b489b5fece03c4f55' ]",
"valid_from": "2021-01-06T04:57:27.591Z"
},
{
"id": "indicator--e737c340-a3b0-e6f8-668d-7214fae7f9df",
"type": "indicator",
"created": "2021-01-06T04:57:29.242Z",
"modified": "2021-01-06T04:57:29.242Z",
"labels": [
"xfe-malware-risk-high"
],
"name": "File hash indicator for sha256 hash 5545f31c832c8bde6cf7563cdc0f4a4b9b15416480e14f15420b1691444c376d",
"description": "File hash indicator for sha256 hash 5545f31c832c8bde6cf7563cdc0f4a4b9b15416480e14f15420b1691444c376d",
"pattern": "[ file:hashes.'SHA-256' = '5545f31c832c8bde6cf7563cdc0f4a4b9b15416480e14f15420b1691444c376d' ]",
"valid_from": "2021-01-06T04:57:29.242Z"
},
{
"id": "indicator--21e55e46-eacd-4afe-a0fb-23d49c8dc78c",
"type": "indicator",
"created": "2021-01-06T04:57:51.317Z",
"modified": "2021-01-06T04:57:51.317Z",
"labels": [
"benign",
"xfe-threat-score-2"
],
"name": "URL Report for pastebin.com/raw/DF8Gikrk",
"description": "Category: Blogs / Bulletin Boards\n Description: This category contains newsgroups, bulletin boards, blogs and comments. Dating sites, Social Networking sites and Business Networking sites are not listed here but in their own categories.Category: Search Engines / Web Catalogs / Portals\n Description: This category contains search engines, Web catalogs and Web portals. Dating sites, Social Networking sites and Business Networking sites are not listed here but in their own categories.Category: Software / Hardware\n Description: This category includes Web sites from the area of software, computer hardware and other electronic components.",
"pattern": "[ url:value = 'pastebin.com/raw/DF8Gikrk' ]",
"valid_from": "2021-01-06T04:57:51.317Z"
},
{
"id": "indicator--91020b6c-2727-4373-8539-b6f24599b0d1",
"type": "indicator",
"created": "2021-01-06T04:57:51.819Z",
"modified": "2021-01-06T04:57:51.819Z",
"labels": [
"benign",
"xfe-threat-score-2"
],
"name": "URL Report for pastebin.com/raw/UbTZx6kd",
"description": "Category: Blogs / Bulletin Boards\n Description: This category contains newsgroups, bulletin boards, blogs and comments. Dating sites, Social Networking sites and Business Networking sites are not listed here but in their own categories.Category: Search Engines / Web Catalogs / Portals\n Description: This category contains search engines, Web catalogs and Web portals. Dating sites, Social Networking sites and Business Networking sites are not listed here but in their own categories.Category: Software / Hardware\n Description: This category includes Web sites from the area of software, computer hardware and other electronic components.",
"pattern": "[ url:value = 'pastebin.com/raw/UbTZx6kd' ]",
"valid_from": "2021-01-06T04:57:51.819Z"
},
{
"id": "indicator--9ecf740d-9100-11e4-1e85-173195df6f93",
"type": "indicator",
"created": "2021-01-06T04:57:27.393Z",
"modified": "2021-01-06T04:57:27.393Z",
"labels": [
"xfe-malware-risk-low"
],
"name": "File hash indicator for sha256 hash 5c884be3635eb55ce02e141d6fb07f760b6dbcace54f2217c69f287292ce59f6",
"description": "File hash indicator for sha256 hash 5c884be3635eb55ce02e141d6fb07f760b6dbcace54f2217c69f287292ce59f6",
"pattern": "[ file:hashes.'SHA-256' = '5c884be3635eb55ce02e141d6fb07f760b6dbcace54f2217c69f287292ce59f6' ]",
"valid_from": "2021-01-06T04:57:27.393Z"
},
{
"id": "indicator--34a40123-04c9-4627-8835-528591c6361a",
"type": "indicator",
"created": "2021-01-06T04:57:51.277Z",
"modified": "2021-01-06T04:57:51.277Z",
"labels": [
"benign",
"xfe-threat-score-2"
],
"name": "URL Report for pastebin.com/raw/r12wBrC7",
"description": "Category: Blogs / Bulletin Boards\n Description: This category contains newsgroups, bulletin boards, blogs and comments. Dating sites, Social Networking sites and Business Networking sites are not listed here but in their own categories.Category: Search Engines / Web Catalogs / Portals\n Description: This category contains search engines, Web catalogs and Web portals. Dating sites, Social Networking sites and Business Networking sites are not listed here but in their own categories.Category: Software / Hardware\n Description: This category includes Web sites from the area of software, computer hardware and other electronic components.",
"pattern": "[ url:value = 'pastebin.com/raw/r12wBrC7' ]",
"valid_from": "2021-01-06T04:57:51.277Z"
},
{
"id": "indicator--a49564f7-1d95-431f-984e-662f80f0f7d3",
"type": "indicator",
"created": "2021-01-06T04:57:26.993Z",
"modified": "2021-01-06T04:57:26.993Z",
"labels": [
"benign",
"xfe-threat-score-undefined"
],
"name": "URL Report for kintum.io",
"description": "",
"pattern": "[ url:value = 'kintum.io' ]",
"valid_from": "2021-01-06T04:57:26.993Z"
},
{
"id": "indicator--e3c68f2e-d047-4d52-57fb-bcba039e14b6",
"type": "indicator",
"created": "2021-01-06T04:57:27.540Z",
"modified": "2021-01-06T04:57:27.540Z",
"labels": [
"xfe-malware-risk-high"
],
"name": "File hash indicator for sha256 hash 170cb5ea1a6b4af3c27358ba267a1309ed5118481619fc874f717262cb91fb77",
"description": "File hash indicator for sha256 hash 170cb5ea1a6b4af3c27358ba267a1309ed5118481619fc874f717262cb91fb77",
"pattern": "[ file:hashes.'SHA-256' = '170cb5ea1a6b4af3c27358ba267a1309ed5118481619fc874f717262cb91fb77' ]",
"valid_from": "2021-01-06T04:57:27.540Z"
},
{
"id": "indicator--5221b954-0c3e-c7d0-81d0-ef5d290711f0",
"type": "indicator",
"created": "2021-01-06T04:57:27.385Z",
"modified": "2021-01-06T04:57:27.385Z",
"labels": [
"xfe-malware-risk-low"
],
"name": "File hash indicator for sha256 hash 17b0b1a9271683f30e5bfd92eec9c0a917755f54060ef40d9bd0f12e927f540f",
"description": "File hash indicator for sha256 hash 17b0b1a9271683f30e5bfd92eec9c0a917755f54060ef40d9bd0f12e927f540f",
"pattern": "[ file:hashes.'SHA-256' = '17b0b1a9271683f30e5bfd92eec9c0a917755f54060ef40d9bd0f12e927f540f' ]",
"valid_from": "2021-01-06T04:57:27.385Z"
},
{
"id": "indicator--e9245506-601c-a5e2-2bb9-aca627482665",
"type": "indicator",
"created": "2021-01-06T04:57:27.360Z",
"modified": "2021-01-06T04:57:27.360Z",
"labels": [
"xfe-malware-risk-unknown"
],
"name": "File hash indicator for sha256 hash 1416f8c40663d51191e8bd03c885e1f4f1c6b7c63d3068721bf386d621783917",
"description": "File hash indicator for sha256 hash 1416f8c40663d51191e8bd03c885e1f4f1c6b7c63d3068721bf386d621783917",
"pattern": "[ file:hashes.'SHA-256' = '1416f8c40663d51191e8bd03c885e1f4f1c6b7c63d3068721bf386d621783917' ]",
"valid_from": "2021-01-06T04:57:27.360Z"
},
{
"id": "indicator--020a7ef1-7099-27a8-e2b9-119af9cb49da",
"type": "indicator",
"created": "2021-01-06T04:57:27.420Z",
"modified": "2021-01-06T04:57:27.420Z",
"labels": [
"xfe-malware-risk-high"
],
"name": "File hash indicator for sha256 hash adeba13b358ea8be691fd7f4d025a6ea27b9b120d97d312ea875d6067434d77e",
"description": "File hash indicator for sha256 hash adeba13b358ea8be691fd7f4d025a6ea27b9b120d97d312ea875d6067434d77e",
"pattern": "[ file:hashes.'SHA-256' = 'adeba13b358ea8be691fd7f4d025a6ea27b9b120d97d312ea875d6067434d77e' ]",
"valid_from": "2021-01-06T04:57:27.420Z"
},
{
"id": "indicator--6faac925-0fd2-0e78-24e2-cf761fd5b1cd",
"type": "indicator",
"created": "2021-01-06T04:57:27.435Z",
"modified": "2021-01-06T04:57:27.435Z",
"labels": [
"xfe-malware-risk-high"
],
"name": "File hash indicator for sha256 hash f33c78cddcf99dd999b065644a17dcbac1b222a7f3342b3fe3293ddb6ecf0060",
"description": "File hash indicator for sha256 hash f33c78cddcf99dd999b065644a17dcbac1b222a7f3342b3fe3293ddb6ecf0060",
"pattern": "[ file:hashes.'SHA-256' = 'f33c78cddcf99dd999b065644a17dcbac1b222a7f3342b3fe3293ddb6ecf0060' ]",
"valid_from": "2021-01-06T04:57:27.435Z"
},
{
"id": "indicator--56908609-3b93-4d4d-af29-a330ce16862f",
"type": "indicator",
"created": "2012-03-22T07:26:00.000Z",
"modified": "2019-02-02T07:52:00.000Z",
"labels": [
"benign",
"xfe-threat-score-1"
],
"name": "IP Report for IP address 213.226.100.140",
"description": "One of the five RIRs announced a (new) location mapping of the IP.",
"pattern": "[ ipv4-addr:value = '213.226.100.140' ]",
"valid_from": "2019-02-02T07:52:00.000Z"
},
{
"id": "indicator--4384981c-e9e5-46ab-bd2c-0e47260130b1",
"type": "indicator",
"created": "2021-01-06T04:57:50.809Z",
"modified": "2021-01-06T04:57:50.809Z",
"labels": [
"benign",
"xfe-threat-score-2"
],
"name": "URL Report for pastebin.com/raw/bfQiiqyv",
"description": "Category: Blogs / Bulletin Boards\n Description: This category contains newsgroups, bulletin boards, blogs and comments. Dating sites, Social Networking sites and Business Networking sites are not listed here but in their own categories.Category: Search Engines / Web Catalogs / Portals\n Description: This category contains search engines, Web catalogs and Web portals. Dating sites, Social Networking sites and Business Networking sites are not listed here but in their own categories.Category: Software / Hardware\n Description: This category includes Web sites from the area of software, computer hardware and other electronic components.",
"pattern": "[ url:value = 'pastebin.com/raw/bfQiiqyv' ]",
"valid_from": "2021-01-06T04:57:50.809Z"
},
{
"id": "indicator--24a3127c-24c0-40b1-b918-f06fdafa421e",
"type": "indicator",
"created": "2021-01-06T04:57:26.931Z",
"modified": "2021-01-06T04:57:26.931Z",
"labels": [
"benign",
"xfe-threat-score-undefined"
],
"name": "URL Report for daopker.com",
"description": "",
"pattern": "[ url:value = 'daopker.com' ]",
"valid_from": "2021-01-06T04:57:26.931Z"
},
{
"id": "indicator--2d9ced93-e5fe-4847-8130-e9267d422d32",
"type": "indicator",
"created": "2012-03-22T07:26:00.000Z",
"modified": "2020-09-09T06:54:00.000Z",
"labels": [
"benign",
"xfe-threat-score-1"
],
"name": "IP Report for IP address 193.38.55.131",
"description": "One of the five RIRs announced a (new) location mapping of the IP.",
"pattern": "[ ipv4-addr:value = '193.38.55.131' ]",
"valid_from": "2020-09-09T06:54:00.000Z"
},
{
"id": "indicator--d461f6bf-1e69-bbb4-4f4a-8d8afd948cbe",
"type": "indicator",
"created": "2021-01-06T04:57:27.485Z",
"modified": "2021-01-06T04:57:27.485Z",
"labels": [
"xfe-malware-risk-unknown"
],
"name": "File hash indicator for sha256 hash 13ac090fa99b1dce7f45e4aed07a0359b73815fc38dbe02bf976e088060990a8",
"description": "File hash indicator for sha256 hash 13ac090fa99b1dce7f45e4aed07a0359b73815fc38dbe02bf976e088060990a8",
"pattern": "[ file:hashes.'SHA-256' = '13ac090fa99b1dce7f45e4aed07a0359b73815fc38dbe02bf976e088060990a8' ]",
"valid_from": "2021-01-06T04:57:27.485Z"
},
{
"type": "report",
"id": "report--89a86d0f-21bb-0ee6-96bb-e7ff7a2d4f66",
"name": "Campaign Targeting Cryptocurrency Users",
"published": "2021-01-06T20:19:45.099Z",
"created": "2021-01-06T20:19:45.098Z",
"modified": "2021-01-06T20:19:45.099Z",
"labels": [],
"object_marking_refs": [],
"description": "2021-01-06T18:22:08.417Z",
"object_refs": []
}
],
"custom_objects": [
{
"type": "x-xfe-collection",
"id": "x-xfe-collection--89a86d0f-21bb-0ee6-96bb-e7ff7a2d4f66",
"collectionTitle": "Campaign Targeting Cryptocurrency Users",
"collectionWikiContent": "Summary\nIntezer discovered a campaign targeting cryptocurrency users that they estimate began in early 2020. A new RAT associated with the campaign has been named ElectroRAT by Intezer. It is written in Golang and can run on Linux, MacOS, and Windows.\nThreat Type\nMalware\nOverview\nA campaign that targets cryptocurrency users was discovered by Intezer in late 2020. Intezer estimates the campaign began around January 2020. Three Trojanized applications (DaoPoker, eTrade, and Jamm) built using the Electron framework are used in the campaign to deliver a RAT that has been named ElectroRAT by Intezer. The applications have been promoted through fake user accounts on social media and online forums that focus on cryptocurrency, and are hosted on websites created for the campaign. ElectroRAT uses raw Pastebin pages to determine its C&C address and Intezer estimates, from the number of pages views, that there may be several thousand victims. While ElectroRAT can log keystrokes, take screenshots, upload and download files, and execute commands, its primary goal is to obtain access to the victim's crypto wallets. Further information is available from the link in the Reference section below.\nIndicators of Compromise\nA complete list of IoCs can be found in the Reports section to the right.\nRecommendations\nEnsure anti-virus software and associated files are up to date.\nSearch for existing signs of the indicated IoCs in your environment.\nConsider blocking and or setting up detection for all URL and IP based IoCs.\nKeep applications and operating systems running at the current released patch level.\nExercise caution with attachments and links in emails.\nReference\nhttps://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/ ",
"collectionWikiMarkdown": "2021-01-06T18:22:08.417Z",
"collectionId": "89a86d0f21bb0ee696bbe7ff7a2d4f66",
"owner": "",
"tags": [],
"tlp": "",
"created": "2021-01-06T20:19:45.098Z",
"modified": "2021-01-06T20:19:45.099Z"
}
],
"id": "bundle--286b0df3-8ec0-417e-a615-77bf394ad970"
)
